The ÚOOÚ reminds organizations that the consent for the use of non-essential cookies must be freely given, specific, informed, unambiguous, and as per the requirements of the GDPR.
Freely Given Consent
Freely given consent implies real choice and control with the data subject. Consent is not valid where the user is forced to give consent or suffers negative consequences for not providing consent.
Moreover, website users must have the option to close the cookie consent banner without accepting cookies, for example, by clicking on the X button on the top right corner of the banner. If the user clicks on the X button with the intention of closing the banner, the website operator is not authorized to activate any non-essential cookies.
Purpose Specific Consent
Also, users must be able to consent to specific categories of cookies based on their purposes. The ÚOOÚ notes that consent is not considered freely given if the user is unable to grant separate consent for separate cookie purposes.
To ensure user transparency, the data controller must provide the following information to data subjects while obtaining their consent:
- The identity of the data controller,
- The purpose of all processing operations for which consent is required,
- The category of data to be obtained and used,
- The existence of the data subject’s right to withdraw consent,
- Information on the use of data for automated decision-making where applicable,
- Any possible risks associated with cross-border data transfer due to the absence of an adequacy decision and appropriate safeguards, and
- The list of all organizations with whom user’s personal data is shared via cookies. The list needs to be regularly updated so as to allow the data subject to grant consent for specific organizations.
The data subject’s consent must be clear and deliberate so that there remain no doubts about his/her intention. Moreover, all non-essential cookie categories, such as marketing and analytics, should be turned off by default.
Withdrawal of Consent
The data subject must have the right to withdraw consent at any time without any adverse consequences, and such an option should be easily accessible. The withdrawal of consent must be as easy for the user as giving consent, and consent withdrawal must not affect the lawfulness of prior data processing based on consent.
Use of Language and Colors on Banners
Data controllers must use appropriate and clearly understandable language on consent banners for the consent to be considered freely given and informed, and to not force users to consent.
The wording used on consent banners for obtaining consent must clearly denote users’ agreement. For this purpose, the ÚOOÚ emphasizes that the term “I Understand” is not recommended if the website drops non-essential cookies, and instead, unambiguous terms such as “I Agree” or “Accept” should be used so that the user would know that he/she has a choice and may express their consent unequivocally. However, the term “I understand” can be used if the website drops only essential cookies as it draws attention to this fact in order to increase transparency.
It is possible to not provide any “accept” field on the first information layer of the banner provided that the consent banner provides “Reject All” and an “Edit Settings” field that includes the option for the user to select all options.
Moreover, the colors of all fields on the consent banner must be the same so that the user is not instinctively prompted to click any of the options. For example, having an “Accept All” button in green and other options in red is not allowed because such a consent design would prompt the user to click on the “Accept All” option.
How Can You Demonstrate Compliance with Securiti?
Securiti’s Cookie Consent Solution helps organizations comply with cookie consent requirements with the help of the following features:
- The implementation of an opt-in cookie consent banner;
- The ability to design equally prominent accept and reject fields on the cookie consent banner;
- Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations; and
- Updated and comprehensive consent records to help demonstrate compliance.
Ask for a DEMO today to understand how Securiti can help you comply with global data privacy laws.