On 30th September 2022, the German state Lower Saxony data protection authority (LfD Niedersachsen) released updated consent guidelines for the use of cookies and generally for the integration of third-party service providers on websites (Guidelines).
The DPA emphasized that the data subject’s prior consent is required for the use of non-essential cookies and similar tracking technologies. Such consent must be freely given, informed, specific and unambiguous. It highlighted the following principles that must be kept in consideration while obtaining consent from website users:
Prior Consent
The data subject’s consent must always be obtained prior to the activation of non-essential cookies and similar tracking technologies. It is often seen that websites display cookie consent banners after non-essential cookies have already been activated and dropped. Such a practice is not legally compliant as website operators must obtain user’s consent via the cookie consent banner before they technically activate any non-essential cookies and collect their personal data.
Informed Consent
Prior to obtaining the user’s consent, the user must be provided with the following minimum information:
- The data controller’s identity,
- The processing purposes,
- The data categories to be processed,
- The data controller’s intention of automated decision-making, if applicable,
- The data controller’s intention of cross-border data transfer, if applicable,
- The data subject’s right to withdraw consent, and
- The creation of user profiles and names of all third-party service providers that are involved in profiling, if applicable.
Website operators must ensure that all data processing purposes have been clearly and specifically described to the website user before they obtain their consent. This means that the use of ambiguous formulations such as the following are not sufficient in order to ensure that the users’ consent is informed:
- Cookies are used to optimize and improve the website for you,
- Cookies are used to improve your surfing experience, or
- Cookies are used to carry web analysis and advertising.
Affirmative Action
Consent must be indicated via clear affirmative action - the user’s declaration or behavior with which they clearly signal their intention to the intended processing of their personal data. One example of this is the user clicking an unchecked checkbox. On the contrary, scrolling through the website does not constitute a valid form of consent.
Moreover, texts such as “Agree”, “I Agree” or “Accept” are not considered sufficient if no other information is provided along with these texts/fields that can indicate to the user what specifically the consent is given for. To ensure that the data subject’s consent is unambiguous, preselected checkboxes should not be used, and website operators should provide the users with the option of giving separate consent for the activation of each non-essential cookie category based on its purpose.
Cookie Walls are Not Permitted
In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.
In order to ensure that the data subject’s consent is freely given, there must always remain a possibility for them to refuse and withdraw consent without facing any adverse consequences. Therefore, the use of cookie walls is not permitted. The use of cookie walls is permitted only where website users are provided equivalent alternative access to the website that does not require them to accept cookies.
Easy Consent Withdrawal
The data subject should be able to withdraw consent as easily, and in the same manner, as consent is granted. The cookie consent banner must consist of an equally prominent “Reject” option along with the “Accept” option.
The DPA clarifies that the data subject must be informed of the possibility of withdrawing consent on the first information layer of the cookie consent banner. The consent withdrawal process should not be made unnecessarily complicated and the users should not be required to perform additional steps to withdraw consent. In this respect, controllers should refrain from using contact forms as a means of withdrawing consent as they require additional steps and information for the revocation of consent, which is also a violation of the data minimization principle, as codified under the GDPR.
Moreover, the consent withdrawal mechanism must be easily accessible to the website user so they can withdraw consent at any time without facing any adverse consequences. For example, a website operator may insert a link to the consent layer in the header or footer of the website, or in the information notice required under Article 13 of the GDPR.
Nudging is Not Permitted
Nudging refers to techniques that are intended to influence or manipulate a user's behavior or choices. An example of nudging would include designing the “Agree” button more conspicuously on the cookie banner than the “Reject” button with the help of color or font styles. Such a mechanism is not permitted as it pushes website users to make a certain choice and compromises the element of freely given consent.
Similarly, showing the cookie consent banner again once the user has already refused cookies with the intention that, sooner or later, the user will accept cookies is also a form of nudging and should not be implemented.
Consent for Data Processing of Minors
The DPA recommends that no non-essential cookies should be used on websites that are aimed directly at children. However, where non-essential cookies are used for such websites, consent must be obtained from the holders of parental authority in the case of personal data belonging to children under the age of 16. The website operators should utilize suitable online identity verification procedures to verify that such consent is actually given by the parents/legal guardians of the minors.
How Can You Demonstrate Compliance with Securiti?
Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:
- The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime,
- The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific,
- The ability to design equally prominent accept and reject fields on the cookie consent banner,
- Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations, and
- Updated and comprehensive consent records.
Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.
