Consent Management Platform (CMP) for GDPR Compliance

IAB TCF framework CMP, Website Cookie Banner for IAB TCF v2, GDPR Compliance Solution for Publishers. Certified CMP Working with Prebid and Google. Protect and Increase Advertising Revenue.

General Data Protection Regulation (GDPR) Compliance

What is GDPR?

GDPR stands for General Data Protection Regulation in the EU, gives consumers more control over the personal information. Along with other privacy laws, defines the new rules for website tracking and tracking cookies in large scale.

Most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. Organizations found in non-compliance will face heavy fines: €20 million or 4 percent of global revenue/turnover per infraction. This could mean millions, or even billions of dollars in fines for large companies. Everyone is at stake, the GDPR cannot be ignored. UniConsent helps streamline the compliance process from the beginning and for the future.

Consent Law and GDPR Compliance

Ch. I, Art. 4(11); Ch. II, Art. 7, §§ 1-4. "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should __not__therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” Recital ¶ 32. Information supporting the consent must be "concise, easily accessible and easy to understand, and … clear and plain language and, additionally, where appropriate, visualisation [must] be used," where it is "difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.” Recital ¶ 58.

"Safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. … [A] declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plan language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." Recital ¶ 42. "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." Recital ¶ 43, Ch. II, Art. 7, § 4.

"Scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent) will not satisfy the requirement of a clear and affirmative action". - from the article 29 Working Party.

Consent Law and GDPR Compliance Overview

Consent

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her.

Acceptable Forms of Consent

Valid and compliant user consent shall be for example, a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Unacceptable Forms of Consent

Silenced, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Clear, concise and understandable

Information supporting the consent must be concise, easily accessible and easy to understand. It must be presented using clear and plain language and, additionally, where appropriate, visualisation must be used, where it is difficult for the user to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.

Appropriate Safeguards

Safeguards should ensure that the user is aware of the fact that and the extent to which consent is given. Declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the user should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the user has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

GDPR Compliance Caveats

Being Compliant with the GDPR is not as easy as agreeing to terms and conditions, it involves much more than scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent), this kind of setup will not satisfy the requirement of a clear and affirmative action for consent.

More GDPR Consent related articles

The Article 29 Working Party published final guidance on consent on April 10, 2018 by IApp

Guide to the General Data Protection Regulation (GDPR) by ICO UK

What is valid consent? by ICO UK

Why is consent important? by ICO UK

What is the difference: UK GDPR vs EU GDPR

UniConsent Consent Manager for GDPR Compliance

  • Certified IAB CMP
  • Fully customisable multiple stages
  • One-tag Implementation
  • Google Tag Manager support
  • Tracking and insight
  • Multiple languages support
  • IAB TCF and Google DFP support
  • Prebid GDPR CMP API support
  • JavaScript tags blocking and cookies blocking
  • Cookies scan and disclosing
  • Certified by IAB Europe
  • Easy self-serve solution
  • Learn more from GDPR Summary

IAB registered consent manager for GDPRIAB TCF V2 registered consent manager for GDPRIAB TCF Canada registered consent managerGoogle-certified CMP

Comply With Global Privacy Regulations

Trusted by 5000+ of global publishers and marketers
  • sej
  • football365
  • sharethrough
  • districtm
  • pf1
  • tower cast

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up