Businesses must consider many legal provisions when it comes to compliance with global data privacy regimes. However, one of the critical regulations that is prevalent in almost every data privacy and protection law is cookie and consent compliance. A business cannot begin to collect users’ data unless it knows what type of consent requirements apply to it. Some regulations, such as the European Union’s General Data Protection Regulation (EU GDPR), leverage opt-in consents, while other privacy laws, like the California Privacy Rights Act (CPRA), employ an opt-out approach to data collection and processing. Notably, there are now hundreds of countries that have data protection regulations, with each having different consent requirements.
Our legal and privacy experts at Securiti have created a global consent heat map of consent and cookie requirements covering 40+ jurisdictions (including the European Union), demarcating opt-in and opt-out regimes for each. Read to identify data privacy laws specific to your jurisdiction to understand and comply with all the consent requirements that apply therein.
Important Definitions
The following definitions were drawn up based on common consent requirements of major global privacy laws and regulations. For a more accurate understanding of these terms and their corresponding legal obligations, looking into the specific law and guidance relevant to your jurisdiction is recommended.
Opt-in Consent: The data subject consents before collecting and processing personal data. Opt-in consent is also referred to as prior consent.
Opt-out Consent: The data subject’s consent is assumed when collecting and processing their personal data, and the data subject is provided the option to opt-out or object to such processing at that time. Opt-out consent is also referred to as implied consent.
Freely-given Consent: The data subject can refuse or withdraw consent and change their consent preferences at any time, without any detriment. Consent is considered to be freely given if it has been obtained justly, and there are no adverse consequences for refusing such consent on the data subject.
Specific Consent: The data subject’s consent is specific to a specific purpose or a specific data processing activity. Where a service involves multiple processing operations for more than one purpose, the data subject must be able to freely choose specific purposes rather than consenting to a bundle of processing purposes.
Informed Consent: The data subject has been adequately informed about the potential risks and consequences of granting or denying consent when collecting and processing personal data.
Unambiguous Consent: The data subject gives consent explicitly and clearly. No dark patterns have been used to design, modify, or manipulate a user interface with the purpose or substantial effect of impairing a data subject’s choice to provide consent.
Explicit Consent: The data subject provides an express statement of consent or expressly confirms consent in a written statement. In the digital or online context, a data subject can issue the required statement by filling out an electronic form, sending an email, uploading a scanned document carrying the signature of the data subject, or using an electronic signature. Explicit consent may also be obtained via oral statements, telephone conversations, or a two-stage verification process. Explicit consent is also referred to as express consent.
Written Consent: The data subject expresses consent in writing. It can be written consent on paper containing the data subject’s handwritten signature or in the form of an electronic document with an electronic signature. The law may specify further requirements of written consent. It can also be referred to as consent in writing.
Understanding Cookie Consent Requirements Around the Globe
Consent means any manifestation of free, specific, informed, and unequivocal will by which the person accepts the processing of personal data affecting him through a statement or a clear affirmative action.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing. Processing is also lawful if one of the following conditions is met:
Processing necessary for the execution of a contract with the data subject or to apply pre-contractual measures at his request,
Necessary for compliance with a legal obligation,
Necessary to protect the vital interests of the data subject or another natural person,
Necessary for the public interest or in the exercise of public powers, or
Necessary for the controller's or a third party's legitimate interests, except where overridden by the interests or rights of the data subject (this provision does not apply to the processing carried out by public authorities in the exercise of their functions).
Specific Cookie Consent Requirement
User consent must always be obtained before the activation of non-essential cookies.
Users should also be informed of the existence of technical or strictly necessary cookies and their purposes.
There must be a cookie consent banner on the website's homepage consisting of an option to accept and reject cookies, a link to allow users to customize their cookie choices, and a link to the detailed cookie policy.
Law 29/2021, of October 28, qualified as protection of personal data.
Any Additional Information
The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the legality of processing based on consent before its withdrawal. Before consent is given, the person concerned must be informed of their right to withdraw consent. Consent withdrawal should be as easy as giving consent.
Explicit consent is required for the processing of sensitive personal data.
For children under the age of 16, processing is only considered lawful if consent has been given or authorized by the minor's legal representative. In these cases, the controller must verify that the consent was given or authorized by the minor's legal representative, taking into account the available technology.
Organizations are recommended to maintain consent records, including the status of a user's consent (i.e. whether they have accepted or rejected all cookies or customized them) and the date and time for the provision of consent.
Argentina
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be expressed in Writing or any other similar means, depending on the circumstances.
The request for obtaining consent must appear in a prominent and express manner.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing. Other lawful grounds include the following:
when the data is secured from the source of unrestricted public access,
when the data is collected for the performance of the duties inherent in the powers of the State,
when the processing of data consists of lists limited to:
Name,
National identity card number,
Taxing or social security identification, Occupation,
Birth date,
Domicile and telephone number.
when the data processing arises from a contractual relationship (either scientific or professional) of the data owner and is necessary for its development or fulfillment. It refers to transactions performed by financial entities and the information they receive from their clients (protected by banking secrecy rules)
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Argentina's Personal Data Protection Law No. 25.326.
Armenia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
The data subject's consent shall be considered given, and the controller shall have the right to process where:
the concerned personal data is indicated in a document addressed to the controller and signed by the data subject, except for cases when the document, by its content, is an objection against the processing of personal data;
the controller has obtained data on the basis of an agreement concluded with the data subject and uses such data for the purposes prescribed in the agreement;
the data subject, voluntarily, for usage purposes, verbally transfers information on their personal data to the controller.
The data subjects shall give their consent in writing, orally (validated by means of such reliable operations which will obviously attest the consent of the data subject regarding the use of their personal data), or electronically (validated by electronic digital signature).
Consent as a Lawful Ground of Processing
The processing of personal data shall be lawful where:
the data has been processed in observance of the requirements of the law, and the data subject has given their consent, except for cases directly provided for by the Law of the Republic of Armenia on Protection of Personal Data or any other law; or
the data being processed has been obtained from publicly available sources of personal data.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Law of the Republic of Armenia on Protection of Personal Data.
Any Additional Information
The data subject may give his or her consent in person or through a representative, where a power of attorney specifically provides for such a power.
The data subject has the right to withdraw his consent according to the Law of the Republic of Armenia on the Protection of Personal Data and in the cases and procedures provided for by other laws.
To obtain the data subject's written consent, the controller of personal data or the authorized person should notify the data subject of the intention to process data.
In case of incapacity or limited capacity of the data subject or being a minor under the age of 16, consent for processing his or her personal data shall be given by a legal representative of the data subject.
Australia
General Rule: Opt-out with-exceptions
Exception
Opt-in consent is required for the collection, use, and disclosure of sensitive personal information.
Opt-in consent is required for a purpose that is "different" from the initial purpose the personal information was collected.
Meaning of Consent
Consent can be expressed or implied. Implied consent is valid only if the individual is provided with a clear and prominent opt-out facility, the opt-out is freely and easily available to the data subject and not bundled with other purposes, and the data subject is given information regarding what would happen if the data subject does not opt-out and such consequences are not serious.
Consent as a Lawful Ground of Processing
Organizations must not collect personal data unless the data is reasonably necessary for or directly related to one or more of the entity's functions or activities.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available. However, in light of the Privacy Act and guidance on consent by the OAIC, organizations must display an adequate notification to website users before or at the time of the use of cookies and similar tracking technologies and collection of personal information about data subjects with such technologies.
Relevant Legislation
Australian Privacy Act.
Any Additional Information
Data controllers must inform users about the use of personal information/cookies, why they collect personal information, and how they use and disclose it.
The privacy policy must be available to all users at or prior to the collection of personal information. If that is not reasonably practicable, then the privacy policy must be available to all users as soon as the data has been collected.
Consent can be revoked at any time, free of charge.
Belgium
General Rule: Opt-in
Exception
Consent is not required when functional cookies are used, i.e., cookies that are absolutely necessary to:
provide a service expressly requested by the user or
send a communication via an electronic communications network.
Meaning of Consent
Consent must be freely given, informed, specific, and unambiguous indication of the data subject's wishes whereby they, by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Processing necessary for compliance with a legal obligation,
Processing is necessary in order to protect the vital interests of the data subject,
Processing necessary for the public interest or in the exercise of official authority, or
Processing is necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Consent must be obtained prior to inserting or reading cookies. As long as a data subject does not give affirmative consent, the notice must remain visible and no non-functional be installed and/or read on the user's device.
Consent must be preceded by the provision of precise information to the data subject in relation to the identity of the data controller, the purposes pursued by the use of cookies and other tracers, the data collected and its uses, the lifespan of cookies, the rights of data subjects, including the right to withdraw consent, and the means of deletion of cookies and metafiles.
Data subjects must be able to give consent, at least, per each type of cookie in the first layer of the cookie banner. Data subjects could also be provided the option of making more granular choices per each individual cookie in the second layer of the banner. The Belgian DPA specifies that in certain cases (for example, taking into account developments in society, including the expectations of average Internet users who are ideally increasingly informed in IT and concerned about privacy), data subjects should be able to express consent individually by each cookie.
When the information collected and stored in a cookie and the information collected following the reading of a cookie are no longer necessary for the intended purpose, they must be deleted.
A data controller must not consider continual browsing of a webpage or acceptance of general terms and conditions as valid methods of obtaining consent. Similarly, valid consent cannot be deduced from a data subject's browser settings.
Data subjects must be provided with a cookie policy that provides concise information about the use of cookies or other tracers, the data processing activities of the controller, and the rights of the data subjects. Data controllers must ensure that the cookie policy is accessible to the data subjects, for example, by means of a hyperlink, and is available in different languages as per the intended audience.
Setting up cookie walls, a practice that consists of blocking access to a website or a mobile application for those who do not consent to the installation of non-functional cookies, is not considered GDPR compliant as it hinders free consent.
Data subjects' consent must be obtained before any social plugins can be enabled.
Relevant Legislation
Data Protection Act of 30 July 2018.
Any Additional Information
User-friendly solutions must be implemented so that a data subject can withdraw their consent at any time and as easily as they were able to give it.
The data controller must be able to demonstrate that they obtained valid consent from the data subject for the use of cookies or other trackers. This proof can be provided, in particular, by logs or other files keeping traces of transactions.
Brazil
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
free,
informed, and
unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.
Consent as a Lawful Ground of Processing
Processing of personal data can only be carried out on one of the following basis:
With the consent of the data subject,
For compliance with a legal or regulatory obligation of the controller,
By the public administration for the processing and shared use of data necessary for the execution of public policies,
For carrying out studies by research entities, ensuring, whenever possible, anonymization of personal data,
When necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject,
For the regular exercise of rights in judicial, administrative, or arbitration procedures,
For the protection of life or physical safety of the data subject or a third party,
To protect the health of the data subject - Exclusively in a procedure carried out by health professionals, health services, or sanitary authorities,
When necessary to fulfill the legitimate interests of the controller or a third party - Except When the data subject’s fundamental rights and liberties which require personal data protection prevail,
For the protection of credit, including as provided in specific legislation.
Specific Cookie Consent Requirement
Consent must be obtained for the use of non-essential cookies.
The first information layer of the cookie consent banner must consist of equally prominent Accept and Reject choices and a Manage Cookies option, taking the user to the second information layer (cookie policy).
The second information layer of the cookie consent banner must provide a description of cookie categories according to their uses and purposes, the retention periods, and whether or not personal data is shared with third parties, as well as granular options to opt-in and opt-out from various categories of cookies.
Legitimate interests can be an appropriate legal basis only for essential cookies and for audience measurement cookies where the processing is limited to the specific purpose of identifying patterns and trends based on aggregated data, no personal information is shared with third parties, no user profiles are formed, and there is minimal risk to data subjects.
Guidance by Brazil's data protection authority on cookies can be accessed here.
Relevant Legislation
Brazil's Lei Geral de Proteção de Dados Pessoais.
Canada
General Rule: Opt-in with-exceptions
Exception
Consent can be opt-out (implied) in strictly defined circumstances. In making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context.
Opt-in (express) consent, however, is required for collections, uses, or disclosures of personal information that generally involves sensitive personal information, is outside the reasonable expectations of the individual, and/or creates a meaningful residual risk of significant harm to data subjects.
Meaning of Consent
The Consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.
Information must be provided in manageable and easily accessible ways to data subjects and data subjects must be allowed to withdraw consent.
Consent must be clear, free, informed and be given for specific purposes.
Consent as a Lawful Ground of Processing
Organizations may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Subject to certain limited exceptions under the PIPEDA, a data subject's consent is required for the collection, use, and disclosure of personal information.
Specific Cookie Consent Requirement
Opt-out consent for online behavioral advertising can be considered acceptable if:
Individuals are made aware of the purposes at or before the collection of personal information and provided with information about the various parties involved,
Individuals are able to easily opt-out + the opt-out takes effect immediately + the opt-out is persistent,
The information collected and used is limited to the extent practicable to non-sensitive information
The information collected and used is destroyed as soon as possible or effectively de-identified.
If there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party or the tracking of location, express consent would likely be required.
Relevant Legislation
Personal Information Protection and Electronic Documents Act (PIPEDA).
Any Additional Information
For a meaningful consent, data controllers must:
Allow individuals to control the level of detail they get and when,
Consider user-friendly processes,
Make consent an ongoing process by periodically reminding individuals about their privacy options, and
Be able to demonstrate compliance.
Canada (Quebec) - General Rule: Opt-in with-exceptions
Exception
Opt-in consent is required:
For processing of sensitive personal information,
While using technologies that make it possible to identify a person, locate him/her, or perform profiling,
Where there is a risk of serious harm to the data subject from the intended use or disclosure of the data,
If data is used/processed for secondary purposes, i.e. purposes different than the purposes for which the data was originally collected and
For transfer of personal data to a third person, unless authorized by the law.
Consent can be implied only under certain circumstances if:
It does not pertain to sensitive information,
It does not conflict with the reasonable expectations of data subjects as per the context, No risk of serious harm arises from the intended use or disclosure, and
If there is no use of personal information for secondary purposes.
Meaning of Consent
Unless the following conditions are met, consent has no effect:
Consent must be clear, free, and informed and must be given for specific purposes.
If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned.
If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested.
Consent is valid only for the time necessary to achieve the purposes for which it was requested.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for the collection, use, and disclosure of personal data. Other lawful grounds include when the personal information is used for:
Any purpose consistent with the purpose for which it was collected,
Preventing and detecting fraud, as well as assessing and improving protection and security measures,
Providing or delivering a product or service requested by the data subject,
Study, research, statistical purposes, and if the information is de-identified,
Compliance with legal obligations,
Communication in situations that threaten the life, health, or safety of the data subject,
Recovering debts on behalf of others when authorized by law and for the performance of duties,
Recovery of a claim of the enterprise,
Preventing, detecting, or addressing crimes or statutory offenses when there are reasonable grounds to believe such actions are necessary,
Preventing acts of violence or suicide when there is a reasonable belief of serious harm and a sense of urgency,
For archiving purposes and for research by archival agencies when specific time limits or document structures are met,
Fulfilling a mandate, perform a business contract, or provide services on behalf of an enterprise,
Concluding a commercial transaction or under a collective agreement and
Performance of official duties.
Collection of personal information from a third party without consent is permissible if:
The law authorizes so, or
There is a serious and legitimate reason, and either:
It is in the best interest of the person, and consent cannot be obtained from him in due time, or
it is necessary to ensure the accuracy of the information.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act).
Any Additional Information
Organizations should take steps to mitigate consent fatigue, recognizing that individuals are frequently asked for their consent.
Organizations cannot assume consent; it must be actively and positively obtained. Methods that are considered invalid for obtaining clear consent because they do not unequivocally establish the person's intent include:
Use of pre-checked boxes,
Simply providing the possibility of subsequent refusal (opt-out), Any deduction based on a person’s silence or inactivity, or
Any deduction related to a separate act of the person.
To ensure express consent, organizations must avoid presenting consent requests that could be confused with other actions an individual needs to perform, like acknowledging terms of use. Clear and distinct consent mechanisms should be in place to obtain explicit consent from the data subject.
Personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority or of the tutor unless collecting the information is clearly for the minor’s benefit.
When collecting personal information through technology, a person must create and publish a clear and simple privacy policy on the enterprise's website and share it with individuals. The same applies for notifying individuals about any changes to this policy.
When collecting personal information from individuals and subsequently upon request, the collector must provide them with the following information:
The purposes for which the information is collected,
The means by which the information is collected,
The rights of individuals to access and correct the information, as provided by law and
The individual's right to withdraw their consent to the communication or use of the information collected.
If applicable, the data subject must be informed of the name of the third person for whom the information is being collected, the name of the third person or categories of third persons to whom it is necessary to communicate the information, and the possibility that the information could be communicated outside Québec.
On request, the data subject must also be informed of:
The personal information collected from him,
The categories of persons who have access to the information within the enterprise,
The duration for which the information will be kept, and
The contact information of the person in charge of protecting personal information.
Chile
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be expressed.
The person who authorizes must be duly informed regarding the purpose of storing their personal data and its possible communication to the public.
The authorization must be in writing.
The authorization can be revoked without retroactive effect, which must also be done in writing.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing. Other circumstances that permit personal data processing include the following:
where the personal data comes from or is collected from publicly accessible sources,
where the personal data is of an economic, financial, banking, or commercial nature,
where the personal data is contained in lists relating to a category of persons that are limited to indicating background information such as the individual's membership in that group, their profession or activity, their educational qualifications, address or date of birth,
where the processing of personal data is necessary for direct response commercial communications, direct marketing, or sale of goods or services.
Specific Cookie Consent Requirement
A Report titled X-Ray of E-Commerce published by the Chile National Consumer Service defines cookies as "information sent by a website and stored in the user's browser so that the website can consult the previous activity of the browser, remember access and/or learn information about browsing habits, among others"
As per the Report, website operators must inform users about the use of cookies and give them the option to accept or reject the use of cookies.
Learn more from their X-ray of E-commerce Report, available here.
China
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be Informed (under the precondition of full knowledge), Voluntary, and Explicit.
Specific and separate consent must be obtained for separate data processing purposes, especially for the following:
Processing of sensitive personal data,
Providing personal data to a third party,
Publicizing personal data processed,
Using personal data which is collected for public security for any other purpose, Transferring personal data outside China,
Processing data already disclosed has a significant impact on an individual's rights and interests.
Consent as a Lawful Ground of Processing
Personal data processing is lawful if any one of the following applies:
where the processing takes place with the consent of the individual
where the processing is necessary for the performance of a contract to which the data subject is a party to
where the processing is necessary to perform legal responsibilities or obligations by the data controller
where the processing is necessary to respond to a public health emergency or in emergency situations in order to protect the safety of individuals' health and property
where the processing is carried out for the purposes of news reporting and media monitoring for public interests
where the processing of data that is already disclosed by individuals or otherwise lawfully disclosed
any other circumstances as required by laws.
Specific cookie consent requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Information Protection Law.
Any Additional Information
Organizations processing personal information need to consider the following basic principles when obtaining consent:
The scope of obtaining consent should not exceed the content of the notification,
Individuals should be supported in providing consent through their own operations, and pre-checked boxes should not be used,
Data subjects should be provided with a privacy notification at or prior to the time of consent collection and
Consent should be specific to particular processing purposes; individuals should not be required to consent to multiple processing activities at once.
The implementation guidelines provide further clarity on privacy notifications:
Information should be provided to data subjects about the processing activities, including their nature, means and purposes, and security measures employed,
Interactive interfaces should be used to communicate with data subjects,
The notification should be accurate and not use general and broad expressions and
The notification should conform to the data subjects' language habits and use common and unambiguous language, numbers, illustrations, etc.
Colombia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be prior, expressly given, and informed.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing. Other lawful grounds include the following:
Processing of personal information required by a public or administrative entity in the exercise of its legal functions or by court order,
Processing of data of a public nature,
Processing of personal data in cases of medical or health emergency,
Treatment of information authorized by law for historical, statistical, or scientific purposes, and
Processing of data related to the civil registry of persons.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Law 1581/2012 Data Protection Law.
Czech Republic
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Office for Personal Data Protection ('UOOU') in the Czech Republic has published a list of frequently answered questions ('FAQs') on cookie consent banners. Under the FAQs:
Valid consent of users should be obtained prior to the activation of non-technical cookies.
Pre-set consent-friendly browser settings do not constitute valid consent.
The accept and reject buttons should be placed on the same layer of the consent banner (preferably the first layer) and in a comparable visual design.
Pre-ticked options should not be used on the consent banner.
Generally, 12 months may be considered a reasonable time for the validity of consent.
In case of refusal of consent, a consent banner should not be re-presented for at least 6 months after the last display, provided this time period may be lessened if one or more processing circumstances have changed significantly or the operator is not able to monitor the previous consent choice.
A cookie consent banner should not be placed or designed in such a manner that it prevents interaction with the website and only collapses when a user has selected an option on the banner regarding their consent for the use of cookies.
Users should be able to revoke their consent at any time. Withdrawal of consent should be as easy as giving consent, such as through an easily accessible button or a link on the website.
Denmark
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Under the Guidelines issued by the Danish Data Protection Authority on cookies in February 2020:
Consent to cookies must be voluntary, specific, informed, and active,
Users must be able to refuse cookies and withdraw cookies and
Consent for the processing of any personal data must meet the requirements of the GDPR.
Here's a Quick Guide on cookies, issued on 12 February 2021 by the Danish data protection authority. The guide outlines action items for organizations that make use of cookies.
Datatilsynet has specified that the use of cookie walls is permitted only where website users are provided equivalent non-tracking access to the website - such access may be charged a fee that is not unreasonably high.
Relevant Legislation
Data Protection Act No. 502 of 2018.
Any Additional Information
Organizations are not allowed to keep lists of individuals (or retain their personal data) once they have opted out - they must delete data that was processed on the basis of consent once the consent has been withdrawn, assuming that there is no other purpose justifying the continued retention.
Estonia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Data Protection Inspectorate ('DPI') has specified that the requirements of the ePrivacy Directive must be followed in Estonia with respect to the use of cookies, including seeking valid consent prior to the activation of cookies.
Relevant Legislation
Personal Data Protection Act.
Any Additional Information
Users must be provided clear information on the types of cookies and the purposes of their use and be provided an option to opt-out.
Finland
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Finnish Transport and Communications Agency (Traficom) released guidance on the use of cookies:
Browser settings cannot be considered sufficient indications of consent for the use of cookies must be freely given, specific, informed, and unambiguous.
Users must be comprehensively informed of the use of cookies.
Controllers must be able to demonstrate that they have requested the data subject's consent to store and use cookies. The Guidance is available here.
Relevant Legislation
Finnish Data Protection Act 1050/2018.
France
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Guidelines issued by the French Data Protection Authority CNIL on 1 October 2020 require that:
The user must consent to the processing of cookies only by a clear positive act. Any action or inaction by users other than a positive act, such as simple navigation or browsing on the website, does not constitute a valid user's consent.
All users must be informed of their ability to withdraw and refuse consent at the time of obtaining their consent and the purposes of consent.
The CNIL's Guidelines and recommendations are available here.
On 18 March 2021, the CNIL updated its Questions and Answers on its guidance on cookies, which can be accessed here.
The CNIL, in one of its rulings, has highlighted that users should be provided with equivalent accept and reject options on the cookie consent banner. Moreover, users should be adequately informed of the purposes of the cookies used, either on the first layer of the cookie banner or in the preference center.
Relevant Legislation
The Data Protection Act 2019 (Informatique et Libertés).
Germany
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Germany's Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) requires data controllers to obtain data subjects' consent prior to the use of non-essential cookies and similar tracking technologies.
Websites must display clear and understandable information about the use and functionalities of cookies on consent banners, the first information layer of which can take the user to a more detailed policy for further information.
The District Court of Munich I has specified that the colors of all fields on the consent banner must be the same so that the user is not instinctively prompted to click any of the options.
The German state Lower Saxony, released guidelines on the use of cookies and highlighted the following:
the usage of texts such as “Agree” or “Accept” on a cookie banner is not considered sufficient if no other explanatory information is provided regarding what the consent is given for,
the data subject must be informed of their right to withdraw consent on the consent banner's first layer,
the consent banner must consist of equally prominent “Reject” and Accept” options and
the use of nudging techniques that are intended to influence or manipulate a user's behavior or choices, such as making the “Agree” button more conspicuous on the cookie banner than the “Reject” button or showing the cookie banner again once the user has already refused cookies, is not permitted.
The Conference of Independent Data Protection Authorities (DSK) has specified that the use of cookie walls is permitted only where website users are provided equivalent non-tracking access to the website - such access may be charged a fee that is customary in the market.
Relevant Legislation
Federal Data Protection Act of 2017 (German Bundesdatenschutzgesetz).
Greece
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Guidelines issued by the Hellenic Data Protection Authority (February 25, 2020) require that:
Users must consent before cookies are placed (irrespective of whether or not processing of personal data takes place), and
Law No. 4624/2019 on the Personal Data Protection Authority.
Hong Kong
General Rule: Opt out with exceptions
Exception
Opt-in consent is required if you change the purpose of the use of personal data.
Opt-in consent is required for the use of personal data for direct marketing purposes.
Meaning of Consent
Consent means the express consent of the person given voluntarily and has not been withdrawn by the data subject in writing.
Consent as a Lawful Ground of Processing
In general, Personal data should only be collected if:
It is necessary for a lawful purpose directly related to the function or activity of the organization.
It is in accordance with the purposes communicated to the data subject when personal data was collected.
Specific Cookie Consent Requirement
The Privacy Commissioner's guidance on Online Behavioural Tracking addresses the use of cookies to collect behavioral information. Under the guidelines, organizations are recommended to:
Pre-set a reasonable expiry date for cookies,
Encrypt the contents of cookies whenever appropriate, and
Not deploy techniques such as Flash/Zombie/super cookies that ignore browser settings on cookies - unless organizations can offer an option to the website users to disable or reject such cookies.
Relevant Legislation
Personal Data (Privacy) Ordinance.
Any Additional Information
Before the processing of personal data, data controllers have an obligation to inform data subjects of the following:
The purpose of processing personal data,
The recipients of the collected data,
Whether it is obligatory to supply the data,
The consequences of failing to supply the data,
A list of the data subjects’ rights,
The name or job title and address of the individual to whom requests for access or correction should be sent,
and The privacy policy.
Hungary
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
According to the Hungarian Cookie Order, organizations are required to collect informed consent before the use of any cookies. The guidelines are available here.
Relevant Legislation
Act CXII of 2011 on the right to informational self-determination and the freedom of information.
Iceland
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Act on Data Protection and the Processing of Personal Data (No 90 of 27 June 2018).
India
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent is not valid unless:
It is freely given - complies with the standard specified under the Indian Contract Act,
It is informed - the data subject has been provided the right information regarding the processing, It is specific - the data subject can determine the scope of consent with respect to the purpose of processing, It is clear - consent is indicated (through a meaningful affirmative action) in a given context, and
It is capable of being withdrawn - the data subject can easily withdraw his/her consent.
Consent as a Lawful Ground of Processing
Personal data may be processed with the consent of the data subject and if such processing is necessary:
For the performance of any state function authorized by law,
Under any law for the time being in force made by the parliament or the state legislature,
For compliance with any order or judgment of any court or tribunal in India,
To respond to any medical emergency involving a threat to the life or a severe threat to the health of the data subject or any other individual,
To undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health or
To undertake any measure to ensure the safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Digital Personal Data Protection Act, 2023.
Any Additional Information
Every consent request to a data subject must be accompanied or preceded by a notice containing the following information:
The personal data being processed and the purposes for processing,
The manner in which the data subject can exercise the right to withdraw consent and the right to grievance redressal,
The manner in which the data subject may make a complaint to the Data Protection Board, and
The contact details of the DPO, where applicable, or of any other person authorized to respond to any communication from the data subject for the purpose of exercising his/her rights under the provisions of the DPDPA.
Data subjects must have the option to access the contents of the notice in English or any language specified in the Eighth Schedule to the Constitution of India.
Indonesia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent should be freely given, informed, specific, and explicit.
Consent as a Lawful Ground of Processing
The controller should have a basis for processing personal data, which includes:
The data subject's explicit valid consent,
Fulfillment of obligations under a contract to which the data subject is a party, or to fulfill the request of the data subject when entering into a contract,
Fulfillment of legal obligations of the controller,
Fulfillment of the protection of vital interests of the data subject,
Implementation of tasks in the context of public interest, public services, or exercise of legal authority of the controller,
Fulfillment of other legitimate interests with due regard to the purposes, needs, and balance of the interests of the controller and rights of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Law.
Any Additional Information
Consent must be obtained in writing and recorded. However, it can be obtained via both electronic and non-electronic means.
The data controller must stop the data processing in the event consent is withdrawn by the data subject within no later than 3 days from the day the controller has received the request of withdrawal.
The controller must be able to demonstrate compliance with consent requirements.
The following disclosures are necessary for obtaining consent:
The purpose of personal data processing,
The retention period of documents containing personal data,
The details regarding the information collected,
The period of personal data processing, and
The rights of the data subjects.
Ireland
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the Guidance Note issued by the Data Protection Commission of Ireland on 6 April 2020:
Data controllers must obtain valid consent from users before the processing of nonessential cookies.
Equal prominence must be given to accept and reject options on cookie consent banners.
Data controllers must reaffirm the user's consent after every six months.
Consent obtained must be specific to the cookie category based on purposes, and the duration of each cookie must be proportionate to its purpose.
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the new guidelines issued by the Italian data protection authority on 10 July 2021, Cookies or any other similar tracking technology should not be dropped on the website unless:
The user affirmatively accepts cookies.
Such consent must be:
Freely given,
Specific,
Informed and
Unequivocal.
Data Controllers must reaffirm a user's consent after at least six months. However, the consent banner may be presented earlier when the consent collection conditions have changed.
Opt-out consent can be relied upon for the transfer of personal information to third parties.
Personal information refers to information relating to a living individual that can identify specific individuals. The opt-out mechanism is not available for Personally Referable Information (PRI) or Sensitive Personal Information (SPI).
Meaning of Consent
Opt-in consent refers to explicit consent. It is essential for the use of Personally Referable Information and Sensitive Personal Data such as an individual's race, creed, social status, medical history, and criminal record.
An opt-out consent mechanism is permitted for the third-party transfer of personal data provided organizations provide adequate notice to data subjects as well as the regulatory authority PPC and allow data subjects to object or opt-out.
Consent as a Lawful Ground of Processing
Personal data must be processed only for the originally intended and disclosed purposes.
Specific Cookie Consent Requirement
Third-party cookies can be classified as Personally Referable Information under the Act on the Protection of Personal Information, as when combined with identifiers and other information received by the servers, they are able to create profiles of website users and identify them. So is the case with IP addresses, location data, information exchanged on data management platforms containing identifier information, and similar tracking technologies.
An opt-in consent banner is recommended for companies making use of Personally Referable Information, third-party advertising cookies (cookies related to targeted advertisements and marketing), and social plugin tracking cookies.
Relevant Legislation
Act on the Protection of Personal Information (Act No. 57 of 2003).
Any Additional Information
Organizations must not use deception or any fraudulent means to obtain the data subject's consent.
Organizations must provide adequate notice to data subjects and the option to object or opt-out before transferring their personal information to third parties.
Opt-in consent must be obtained for the use of any personally referable information - information which, when linked with additional data elements or identifiers, is able to identify individuals.
Latvia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Under the Latvian Law on Information Society Services, cookies can only be placed on the user's terminal equipment/device after the user has been provided with clear and comprehensive information about the purposes of the processing and has consented to that use.
Relevant Legislation
Personal Data Processing Law of 21 June 2018.
Lithuania
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Under Lithuana's Law on Electronic Communications, explicit consent is required before the processing of cookies. As per the Recommendations issued by the Inspectorate:
Organizations must obtain consent before the use and storage of cookies,
Organizations must provide clear and comprehensive information to data subjects.
Consent can be obtained through Pop-ups, Banners, or website registrations.
However, relevant settings contained within current browsers are not likely to constitute valid consent.
Relevant Legislation
Law of the Republic of Lithuania on the Legal Protection of Personal Data.
Luxembourg
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Consent is required for the use of nonessential cookies and similar tracking technologies, such as cookies used for the purposes of tracking, profiling, personalized advertisements, geolocation, and social plugins where the plugin is linked to the use of cookies.
Cookie guidelines are available here.
Relevant Legislation
Act of 1 August 2018 on the organization of the National Data Protection Commission and the general data protection framework.
Malaysia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
The organization must obtain consent in any form as long as consent can be recorded and properly maintained by the organization. A data subject must be able to withdraw his/her consent to the processing of personal data via a written notice.
Consent as a Lawful Ground of Processing
Consent is a lawful basis for data processing. Processing may also take place in the following instances:
the performance of a contract entered into with a data subject; or
in addressing any pre-contractual inquiry of a data subject who is a potential customer; or
in order to comply with any non-contractual legal obligation that the data user is subject to; or
in order to protect the vital interests of the data subject (e.g. disclosing the last known location of the data subject where he/she has been reported missing for more than 24 hours); or
for the administration of justice in accordance with the requirements and processes as set out by the law; or for the exercise of any functions conferred upon any person by the law; or
where expressly exempted or otherwise permitted by the PDPA.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Act 2010.
Any Additional Information
The data subjects should be provided with a notice which provides:
A description of the personal data being processed by the controller;
The purpose(s) for which the personal data is being collected and processed;
The source of the personal data;
The data subject’s right to access and correct the personal data and the contact details to which a data subject may send the access and/or correction request;
The class of third parties the personal data is disclosed or may be disclosed to;
The choices and means available to the data subject to limit the processing of their personal data,
Whether it is obligatory or voluntary for the data subject to provide personal data and
The consequences of failing to provide obligatory personal data (i.e. personal data required by the controller to make the services available to the data subject).
Malta
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent means prior consent. A data subject must be able to withdraw his/her consent to the processing of personal data by notice in writing.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Under the Processing of Personal Data (Electronic Communications Sector) Regulations in Malta, organizations need consent for the use of cookies.
Relevant Legislation
Data Protection Act (Act XX of 2018).
Mexico
General Rule: Opt out with exceptions
Exception
Opt-in consent is required for the processing of financial or economic data.
Opt-in consent is required for the processing of sensitive personal data.
Meaning of Consent
Obtaining consent, tacitly or explicitly, shall be:
Free: Without error, bad faith, violence, or fraud that may affect the expression of the will of the data subject,
Specific: Refer to one or several specific purposes that justify the processing,
Informed: The data subject must be informed of the processing to be done with his/her personal data and the consequences.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing.
In the absence of consent, data may be processed on the basis of the principle of legitimacy that requires the data controller to ensure that data processing follows and complies with the provisions of Mexican and international law.
Specific Cookie Consent Requirement
Individuals must be informed about any cookies or technology that allows the automatic collection of their personal data.
Individuals must also be informed on how to disable these cookies or technology (unless they are required for technical purposes).
Relevant Legislation
Federal Law for the Protection of Personal Data held by Private Parties.
Any Additional Information
Data controllers must inform users about the collection and use of their personal data.
Data Controllers must also provide users with the ability to opt out of consent.
Morocco
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent means that the data subject gives his/her consent for the processing of his/her personal data freely, specifically, and in an informed manner.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for data processing. Other lawful grounds include the following:
where the processing is necessary for the performance of a contractual obligation to which the data subject is a party,
where the processing is necessary to pursue the legitimate interests of the data controller, provided that the fundamental rights and liberties of the data subject are respected.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Law No. 09-08 on the Protection of Individuals with regard to Processing of Personal Data and its Implementing Decree No. 1-09-15.
Netherlands
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed
Specific, and
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the Guidance issued by the Dutch Data Protection Authority in 2019, cookie walls are prohibited. Consent is needed for the use of cookies.
Consent refers to the authorization of the data subject.
If an organization relies on verbal consent, it must make a note of this, including the date and exactly what the individual has agreed to relate to the use and disclosure of the personal information.
Consent must be limited to specific purposes and specific timeframes.
Consent as a Lawful Ground of Processing
Although it is the primary authority for collecting, using, and disclosing personal information and legitimate business purposes, not consent, the best practice is to obtain the individual's consent before collecting, using, or disclosing their personal data, especially for unexpected purposes.
An organization must not use any personal information that was obtained in connection with one purpose for another purpose unless there is an exception that allows it to do so.
Specific Cookie Consent Requirement
Accepting an imputed authority for a disclosure based on the continued use of services on the basis of broad and unexpected terms and conditions is not valid, and an individual's authorization/consent will be required in such a situation.
The Privacy Commissioner's Opinion titled Click to consent? Not good enough anymore is available here.
Relevant Legislation
The Privacy Act 2020.
Any Additional Information
The Data controller must:
Collect personal information directly from the concerned data subject,
Make sure that the data subject is aware of the facts that the information is collected,
Clearly communicate the purpose for which the information is collected, the intended recipients of the information, the name and address of the agencies involved, the consequences for not providing the information, and the data subject's rights of access to and correction of his or her personal information.
Data controllers must not use the personal information that was obtained in connection with one purpose for any other purpose (unless there are reasonable grounds to do so).
Norway
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the Guidance issued by the Norwegian Data Protection Authority, consent must be given by the user to the use of cookies.
While obtaining consent, the user must be informed about what information is being processed, what cookies are being used, and what is the purpose of data processing
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Data Privacy Act of 2012 (Republic Act No. 10173).
Poland
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Protection of Personal Data Act.
Portugal
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Act on the Protection of Personal Data.
Qatar
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent should be explicit and written.
Consent as a Lawful Ground of Processing
Under the PDPL, data processing is lawful if explicit written consent of the data subject is obtained, there is a 'lawful purpose' for processing on the part of the controller or the third party to whom the personal data is sent, or a valid exemption applies to the processing in question.
The lawful purpose is defined as 'the purpose for which the personal data of the data subject is being processed in accordance with the law,' which includes cases where processing is necessary for a legitimate interest, legal obligation, or contractual obligation.
Personal data shall be processed only within the framework of transparency, honesty, and respect for human dignity and in accordance with the Qatar PDPL.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Privacy Protection Law 2013.
Any Additional Information
Controllers must provide individuals with privacy information, including:
Details of their organization,
A description of how personal data is processed,
The permitted reasons and purposes for processing,
How long personal data is retained for, and
Who it will be shared with any other necessary information set out in the Privacy Notice Guidelines.
Romania
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per Law No. 506/2004, the installation of cookies is allowed when users expressly consent, provided that they are informed of the purposes of the use of cookies in a clear and user-friendly manner.
Relevant Legislation
Romanian Law No. 190/2018.
Russian Federation
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given (free will of the data subject),
Specific (specific and separate consent for specific and separate data processing purposes e.g. consent for the publicly disseminated data must be obtained separately),
Informed (personal data processing notice is required prior to the processing),
Conscious, and
Substantive and unambiguous.
Consent as a Lawful Ground of Processing
Processing of data is allowed in the following cases:
Consent of the data subject,
For compliance with a legal obligation,
Processing necessary for execution of a judicial act or in connection with the involvement of the individual in constitutional, civil, administrative, criminal court proceedings, and court proceedings in arbitration courts,
Processing necessary for the execution of powers of federal executive bodies, state extra-budgetary funds, executive bodies of state bodies of the constituent,
Processing required for the execution of an agreement with the data subject,
Processing is required for the protection of life, health, or other vital interests of the data subject if it is not possible to obtain their consent,
Processing required to exercise the rights and legal interests of the data controller or third parties,
Processing required for the professional activities of a journalist and (or) the legal activities of the media or for the purpose of scientific, literary, or other creative activity,
Processing carried out for statistical or other research purposes, and
Processing data that are subject to publication or compulsory disclosure in accordance with federal laws.
Specific Cookie Consent Requirement
Prior consent is required for the use of cookies.
Relevant Legislation
Federal Law of July 27, 2006 N 152-FZ on Personal Data.
Any Additional Information
Consent of the data subject is required to distribute or allow the personal data to be publicly disseminated. Consent for publicly disseminated data must be obtained separately from other kinds of consent.
Consent must be in writing for cross-border transfers to non-adequate countries, the processing of sensitive or biometric personal data, for the processing of data for automated decision-making, and for employees' data processing and for providing personal data to publicly available sources.
Data operators must stop the data processing within a period of not exceeding ten working days in the case of a consent withdrawal request. This period may be extended to five more working days provided the data operator gives a reasoned notice to the data subject stating the reasons for the delay.
Saudi Arabia
General Rule: Opt-in
Exception
Soft opt-in for direct marketing.
Meaning of Consent
Consent shall be given freely and not obtained through misleading methods.
Direct and explicit consent means any consent given by the data subject in a form that clearly indicates the data subject's acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise and the obtention of which can be proven.
The data subject's consent shall be explicit in the following cases:
When the processing involves sensitive data,
When the processing involves credit data, and
When decisions are made solely based on automated processing of personal data.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Law 2021.
Any Additional Information
The controller shall obtain the data subject's consent for processing their data subject as per the following conditions:
Consent shall be given freely and not obtained through misleading methods in a manner compliant with the PDPL,
Processing purposes shall be clear and specific, and shall be explained and clarified to the data subject before or at the time of requesting consent,
Consent shall be given by a person who has full legal capacity,
Consent shall be documented in a way that allows verification in the future, such as keeping records that include the consent of the data subjects regarding the processing operations, along with the time and the method of consent, and
Independent consent shall be obtained for each processing purpose.
The controller shall obtain the data subject's consent for processing their data in any appropriate form or means, including written or verbal consent or by using electronic methods.
Singapore
General Rule: Opt-out with exceptions
Exception
It is mandated by law or a prior agreement to which the subject is a party.
Meaning of Consent
An individual has not given consent unless he/she has been notified of the purposes for which the personal data will be collected, used, or disclosed, and the individual has provided consent for those purposes.
Consent may be expressed or deemed depending on the circumstances.
For deemed consent, the notification provided to the individual must be adequate, and organizations must provide a reasonable period for the individual to opt-out before they proceed to collect, use, or disclose personal data.
Consent as a Lawful Ground of Processing
Consent is a lawful ground for the collection, use, and disclosure of personal data. Other lawful grounds include the following:
Legitimate interest: Organizations may collect and use personal data if it is in the legitimate interests of the organization and those legitimate interests outweigh any adverse effects to the individual, provided certain conditions are met.
Business improvement: Organizations may use personal data for “business improvement” purposes provided certain conditions are met. Business improvement purposes means improving, enhancing or developing new goods or services, improving, enhancing or developing new methods or processes for business operations in relation to the organization’s goods and services, learning or understanding the behavior and preferences of individuals (including groups of individuals segmented by profile) or identifying goods or services that may be suitable for individuals (including groups of individuals segmented by profile) or personalizing or customizing any such goods or services for individuals.
Research purpose: Organizations may use personal data for research purposes, including historical and statistical research, subject to certain conditions.
Publicly available data: So long as the personal data in question is publicly available at the point of collection, organizations will be able to use and disclose personal data without consent.
Specific Cookie Consent Requirement
If the targeting of advertisements involves the collection and use of personal data through cookies, the individual's consent is required.
Consent may be reflected in the way a user configures his/her interaction with the Internet. If the individual configures his/her browser to accept certain cookies but rejects others, he/she may be found to have consented to the collection, use, and disclosure of his/her personal data by the cookies that he/she has chosen to accept. However, the mere failure of an individual to actively manage his/her browser settings does not imply that the individual has consented to the collection, use, and disclosure of his/her personal data by all websites for their stated purposes.
As good practice, organizations should provide individuals with the ability to set their cookie preferences within the website to enable or disable the use of such cookies for personalized advertisement targeting.
Advisory Guidelines on the PDPA for Selected Topics, including consent that must be obtained for the use of cookies, are available here.
Relevant Legislation
Personal Data Protection Act 2012.
Any Additional Information
While obtaining consent from the data subject, data controllers must do the following:
Notify the individual of the purposes for which personal data will be collected, used or disclosed.
Must NOT obtain or attempt to obtain consent by providing false or misleading information or using deceptive or misleading practices
For example, situations where the purposes are stated in vague or inaccurate terms, in an illegible font, or placed on an obscure area of a document or a location that is difficult to access.
Slovakia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary for the protection of life, health, or property of the data subject or another natural person,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
All non-essential cookie categories should be turned off by default.
To ensure informed consent, a cookie consent banner, and a cookie policy may be used. A cookie policy should contain detailed information on cookies that can help users make an informed decision. The cookie consent banner may provide the link to the cookie policy if a user seeks detailed information.
Data controllers should use appropriate and clearly understandable language on consent banners.
The wording used on consent banners for obtaining consent must clearly denote users’ agreement. For example, terms such as “I Agree” or “Accept” should be used.
Users must be able to consent to specific categories of cookies based on their purposes.
It is possible to not provide any “Accept” field on the first information layer of the banner provided that the consent banner provides “Reject All” and an “Edit Settings” field that includes the option for the user to select all options.
The colors of all fields on the consent banner must be the same so that the user is not instinctively prompted to click any of the options.
Any cookie banner that covers an entire website and requires users to give consent in order to be able to use the website is construed as forcing consent, which is not permissible. Website users must have the option to close the cookie consent banner without accepting cookies.
Act no. 18/2018 Coll. on personal data protection and amending and supplementing certain Acts.
Any Additional Information
The data subject must have the right to withdraw consent at any time without any adverse consequences, and such an option should be easily accessible. It should be as easy for users to withdraw consent as giving consent.
To ensure user transparency, the data controller must provide the following information to data subjects while obtaining their consent:
The identity of the data controller,
The purpose of all processing operations for which consent is required,
The category of data to be obtained and used,
The existence of the data subject’s right to withdraw consent,
Information on the use of data for automated decision-making where applicable,
Any possible risks associated with cross-border data transfer due to the absence of an adequacy decision and appropriate safeguards, and
The list of all organizations with whom the user’s personal data is shared via cookies. The list needs to be regularly updated so as to allow the data subject to grant consent for specific organizations.
Slovenia
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
Prior consent is required for the installation of cookies.
The Information Commissioner issued Guidelines on cookies that are available here and FAQs on cookies that are available here.
Relevant Legislation
Personal Data Protection Act (ZVOP-2).
South Africa
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Personal information may only be processed if:
The data subject consents,
Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party,
Processing complies with an obligation imposed by law on the responsible party,
Processing is necessary for the proper performance of a public law duty by a public body or
processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Protection of Personal Information Act.
South Korea
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent is the manifestation (e.g., written signature, oral confirmation, consent via an internet homepage) of a data subject’s intent to voluntarily accept the collection or use of his/her PI by the controller.
Such intent should be clearly ascertainable.
Consent must be informed, and specific information must be provided to the data subject both when obtaining consent and when the relevant information changes.
For each matter requiring consent, a controller must make a distinct request and obtain specific consent.
There are specific notification requirements depending on the form and purpose for which consent is obtained.
Consent as a Lawful Ground of Processing
Personal data may be collected in any of the following circumstances and used within the scope of the purpose of collection:
Where consent is obtained from a data subject,
Where special provisions exist in other laws, or it is inevitable for a public institution’s performance of its duties under its jurisdiction as prescribed by statutes, etc.,
Where it is inevitably necessary to execute and perform a contract with a data subject,
Where it is deemed manifestly necessary for the protection of life, bodily, or property interests of the data subject or third party from imminent danger where the data subject or his or her legal representative is not in a position to express intention or prior consent cannot be obtained owing to unknown addresses, etc.,
Where it is necessary to attain the justifiable interest of a personal information controller, which such interest is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the justifiable interest of the personal information controller and does not go beyond a reasonable scope.
Specific Cookie Consent Requirement
The provision of goods or services should not be dependent on the data subject's consent.
Organizations must draft privacy notices with the aid of graphics to inform data subjects about the types of data processing activities.
Recent guidelines from the Personal Information Protection Commission on consent and privacy notices are available here.
Relevant Legislation
Personal Information Protection Act.
Any Additional Information
Consent should be obtained justly.
Data controllers must NOT obtain consent by fraudulent, improper, or unjust means.
Organizations must process a minimum amount of personal data where data processing is based on the data subject's consent.
When seeking consent for collection and disclosure of personal information, controllers must inform data subjects of the following matters:
The purpose of the collection and use of personal information,
The items of personal information to be collected or used; and
The period for retaining and using the personal information,
The ability to deny consent and any disadvantages resulting from denial of consent and
The recipients of personal information in case of sharing information with third parties.
Spain
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
According to the updated guide on the use of cookies issued by the Spanish Data Protection Authority (AEPD):
For consent to be valid, it must be freely granted and informed.
The option to “continue browsing”, user clicks, scrolling, navigation, consulting a second layer of information when information is presented in layers, navigating options for managing cookie preferences, or any such similar behavior does NOT constitute valid forms of consent.
Consent must be given for each specific purpose to ensure granularity.
Consent for the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.
The buttons/options for accepting or rejecting cookies must be presented in a prominent place and format, and both options must be at the same level without it being more complicated to reject cookies than to accept them.
Personalization cookies, used when users make specific choices themselves (e.g., selecting the website language or preferred currency for transactions), are considered technical cookies that do not require consent. Such cookies should solely serve the intended purpose and not be utilized for any other purpose. However, where a webpage/application owner adapts the content of the website or application based on the information obtained through cookies, it should inform the concerned user and seek their consent.
In the case of cookie walls, to ensure that consent for cookies is freely given, access to a service and its functionalities shall not be made conditional upon the user's acceptance of cookies. Therefore, non-acceptance of cookies may result in restricted or denied access to the website or partial use of its services provided that the user is adequately informed and the website administrator provides alternative means for accessing the service without mandating cookie acceptance. This alternative access does not necessarily have to be free.
Relevant Legislation
Organic Law 15/1999 of 13 December on the Protection of Personal Data.
Sri Lanka
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent under the PDPA is required to be freely given, specific, informed and unambiguous indication in writing or by affirmative action.
Consent as a Lawful Ground of Processing
In order to ensure that processing is ‘lawful’ whenever personal data is processed, such processing should be:
Based on the consent of the data subject,
Necessary for the performance of a contract / to enter into a contract with the data subject,
Necessary for compliance with a legal obligation to which the controller/processor is subject under Sri Lankan law,
Necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person,
Necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions, or duties imposed under Sri Lankan law; or
Necessary for the purposes of legitimate interests of the controller or a third party.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Act (PDPA).
Any Additional Information
Consent should be capable of being withdrawn at any time.
Where the personal data relating to a data subject is collected from the data subject, the controller shall provide the data subject with the following information at the time of collection of such personal data:
The identity and contact details of the controller and, where applicable, of the controller’s representative, The contact details of the data protection officer (DPO), where applicable,
The intended purposes for which the personal data is processed and the legal basis for the processing, The legitimate interest pursued by the controller or by a third party (if applicable),
The categories of personal data being collected,
Where the processing is intended to be based on consent, the existence of the right of the data subject to withdraw his consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal,
Recipients or third parties with whom such personal data may be shared, if applicable,
Information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable,
The period for which the personal data shall be retained (in terms of section 9 of the PDPA) or where such period is not known, the criteria for determining such period,
The existence of and procedure for the exercise of rights of the data subject (referred to in Part II of the PDPA), The existence of the right to file complaints to the Data Protection Authority,
Whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data, and
The existence of automated individual decision-making (referred to in section 18 of the PDPA), including profiling, and, at least in those cases, reasonably meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Sweden
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
The Electronic Communications Act (ECA) requires providers of publicly available electronic communication services to obtain consent of data subjects for the processing of traffic data. As per the ECA, Consent may be revoked at any time. Information on the type of traffic data that is processed and how long the data is processed for the purposes must be communicated to the data subject prior to obtaining their consent.
The Swedish Post and Telecommunications Authority has also clarified that cookies may only be used if users are informed about the purpose of processing their data and provide their consent.
Access to a service must not be conditioned on the acceptance of cookies - consent must be voluntary.
Opt-in consent is required for the processing of sensitive personal information and high-risk profiling by a private person or profiling by a federal body.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Consent as a lawful ground for processing,
Specific, and
An Unambiguous indication of the data subject's wishes.
Content as a Lawful Ground of Processing
Personal data may only be collected for a specific purpose that is evident to the data subject,
Personal data may only be processed in a way that is compatible with such purposes.
Specific Cookie Consent Requirement
The Telecommunications Act requires organizations to inform users about the use of cookies and provide them the ability to opt-out. With respect to the use of cookies and tracking technologies, website operators and app providers have the following duties:
provide transparent and understandable information to users about how the data is processed, its purpose, and their ability to object, as well as the possibility that their data will be transferred abroad, where applicable.
offer an easy way for users to deny consent to use their data (opt-outs or using default settings such as Do not track).
obtain explicit consent to the tracking (opt-in) when personality profiles are created or sensitive personal data is processed.
Relevant Legislation
Swiss Revised Federal Act on Data Protection 2023.
Taiwan, Province Of China
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent refers to a declaration of agreement given by a data subject after he/she has been informed by the data controller of the personal information required by the data controller.
Separate consent must be obtained for separate and specific data processing purposes.
Consent as a Lawful Ground of Processing
Consent can be used as a Lawful basis for data processing. Other lawful bases of data processing are:
Processing that is provided by law,
Processing based on contract b/w the agency and data subject and appropriate security measures have been adopted,
Processing of data that is already in the public domain due to disclosure by the data subject or in a legitimate manner,
Processing that is necessary for statistics-gathering or academic research by an academic research institution in the interest of the general public provided that any information sufficient to identify the data subject has been removed,
Processing necessary for the furtherance of public interest,
Processing of the data that was collected from publicly available resources, unless the interest of the data subject takes priority over that of the agency and
Processing that will not be detrimental to the rights or interests of the data subject.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Act 2015.
Thailand
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent should be freely given, informed, specific, and explicit.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for preparing historical documents or public archives, or for research or statistical purposes,
Necessary to prevent or suppress danger to a person's life, body, or health,
Necessary for the performance of a contract with the data subject or to take steps upon request of the data subject prior to entering into a contract,
Necessary for the performance of a task in the public interest or for exercising official authority vested in the controller,
Necessary to protect the legitimate interests of the controller, or any other persons or juristic persons, except where such interests are overridden by the data subject rights,
Necessary for compliance with a law to which the data controller is subject.
Specific Cookie Consent Requirement
The data subject must be able to freely, independently, and voluntarily give consent without any threat, fraud, deception, coercion, intimidation, or misrepresentation on the part of the data controller.
The data subject’s consent cannot be implied. The request for consent must be explicitly made in a written statement or via electronic means. Consent may also be obtained verbally in limited circumstances.
To obtain consent from data subjects, data controllers should use means by which the data subject can be identified, and their express intent can be demonstrated.
The specific purpose and details of the consent request must be communicated to the data subject prior to obtaining their consent, and such communication may be made in the form of a written or oral notice, text notification in the form of SMS, email, MMS, by phone, or any other electronic method, such as specifying details in a URL or QR code.
Guidance on obtaining consent for the processing of personal data can be found here.
Relevant Legislation
Personal Data Protection Act, 2019.
Any Additional Information
Prior to obtaining consent, the data subject must be informed of the purposes of the collection, use, or disclosure of personal data, details of the types of personal data to be collected, and the right of the data subject to withdraw consent, along with the method of doing so.
The language and text used in notifying the purposes and details must be clear and easily understandable.
The data subject must be able to withdraw consent at any time and as easily as consent was obtained.
Any withdrawal of consent should not impact the quality of the website service offered to the data subject.
The data subject must be informed of any consequences of consent withdrawal.
The explicit consent of data subjects should be obtained prior to the collection and processing of their personal data.
United Arab Emirates
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent is authorization by the data subject to allow others to process his or her personal data, provided that this consent shall be in a specific, clear, and unambiguous form, stating that he accepts the processing of his personal data through a statement or clear affirmative action.
Consent as a Lawful Ground of Processing
In addition to the consent of the data subject that is considered the default legal basis, the following additional legal bases are applicable for processing personal data:
The processing is necessary for the protection of the public interest,
The processing is related to the personal data that has become publicly available and known by an act of the data subject,
The processing is necessary to initiate or defend any claim or legal proceedings or when the processing is in connection with judicial or security proceedings,
The processing is necessary for the purposes of occupational or preventive medicine in order to assess the employees' ability to work, for medical diagnosis, for health or social care, for treatment, for health insurance service, or for the management of health or social care systems and services in accordance with the applicable legislation in the UAE,
The processing is necessary to protect public health, including protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of healthcare, medicines, drugs, and medical devices, in accordance with the applicable legislations in the UAE,
The processing is necessary for archival purposes or for scientific, historical, and statistical studies in accordance with the applicable legislation in the UAE,
The processing is necessary for the protection of the data subject's interests,
The processing is necessary for the purposes of the controller or data subject carrying out their obligations and exercising their legally established rights in the field of employment, social security, or under the laws of social protection, to the extent permitted by such laws,
The personal data is necessary to perform a contract with the data subject,
The processing is necessary to implement specific obligations under other laws in the country of the controller and
Any other cases specified by the executive regulations of the UAE Personal Data Protection Law.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Law 2021.
Any Additional Information
In order to accept the consent of the data subject, the following conditions must be met:
The controller must be able to prove the consent of the data subject to process his/her personal data,
The consent must be given in a clear, simple, unambiguous, and easily accessible manner, whether in writing or electronic form, and
The consent notice must indicate the right of the data subject to withdraw it and that such withdrawal must be easily made.
Controller is required to, in all cases and prior to the commencement of processing, provide data subjects with information regarding:
The purposes of the processing,
The targeted sectors or establishments with whom the personal data will be shared, both within and outside the UAE, and
The protection measures for cross-border processing.
United Kingdom
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the ICO’s Guidance titled What are the rules on cookies and similar technologies, the use of cookies is allowed if the user is provided with clear and comprehensive information about the purposes of the storage of or access to that information and has given his or her consent.
Sale and sharing of personal information that was collected when the business did not have notice of the right to opt-out of sale/sharing posted.
Use and disclosure of sensitive personal information for additional purposes other than those authorized by the US California Privacy Rights Act if it was collected when the business did not provide consumers the notice of the right to limit the use of sensitive personal information.
Sale or sharing of personal information of consumers below the age of 13 (opt-in consent of parents or guardians).
Sale or sharing of personal information of consumers aged 13 to 16.
Enrolling consumers into any financial incentive program and processing their personal information in return for financial incentives.
Processing of personal information for additional purposes that are incompatible with the disclosed purposes for which the personal information was collected.
Businesses must obtain double opt-in consent from consumers if they request to opt-in for the sale or sharing of their personal information after they have previously opted out.
Meaning of Consent
The CCPA defines consent as any:
Freely given,
Specific,
Informed,
Unambiguous indication of the consumers' agreement to the processing of personal information relating to them for a narrowly defined particular purpose.
The following does not constitute valid consent:
Acceptance of general or broad terms of use or similar document that contains descriptions of personal information processing along with other unrelated information.
Hovering over, muting, pausing, or closing a given piece of content does not constitute consent.
The agreement obtained through the use of dark patterns does not constitute consent.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Consent.
Performance of a contract.
Compliance with legal obligations.
Protection of vital interests.
Performance of a task carried out in the public interest.
Legitimate interests.
Specific Cookie Consent Requirement
To comply with the CCPA, a "Do Not Sell or Share My Personal Information" link or button must be provided on the homepage of the website.
Granular opt-outs from specific sales of personal information may be provided to consumers as long as the global opt-out button is more prominent.
The business must be able to detect and honor Global Privacy Control (GPC) signals. When the GPC is detected, all third-party non-essential cookies that are involved in the sale or sharing of personal information must be opted out immediately.
Relevant Legislation
California Consumer Privacy Act 2018.
Any Additional Information
Separate consent is required for narrowly defined separate purposes.
In responding to a request to opt-out of sale/sharing or request to limit the use of sensitive personal information, a business may present the consumers with the choice to opt-out of the sale or sharing, or limit the use, of personal information for certain uses as long as a single option to opt-out of the sale or sharing, or limit the use, of all personal information is also offered.
Businesses shall design and implement methods for submission of opt-out and limit requests and obtaining consumer consent that incorporates the following principles:
The path for a consumer to exercise a more privacy-protective option shall not be more difficult or time-consuming than the path to exercise a less privacy-protective option. Moreover, users should be provided with equal or symmetrical options for opting to or refusing to provide their consent, such as the ‘Reject' option should be provided against an ‘Accept’ option, rather than options such as ‘Preferences’ or ‘Ask me Later.’
Avoid interactive elements that are confusing to the consumer, such as unintuitive placement of buttons to confirm a consumer’s choice. Moreover, toggles or buttons must clearly indicate the consumer’s choice.
Avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice. Businesses should also not design their methods in a manner that would impair the consumer’s ability to exercise their choice because consent must be freely given, specific, informed, and unambiguous.
The business shall not add unnecessary burden or friction to the process by which the consumer submits a request. Methods should be tested to ensure that they are functional and do not undermine the consumer’s choice to submit the request.
The business shall use language that is easy for consumers to read and understand and avoid language that is confusing to the consumer, such as the use of double negatives.
A business shall maintain records of requests to opt out of the sale/sharing of personal information and requests to limit the use and disclosure of sensitive personal information and how it responded to such requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records.
A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, provide consumers with the following information:
A list of the categories of personal information about consumers, including categories of sensitive personal information, to be collected. Each category of personal information shall be written in a manner that provides consumers with a meaningful understanding of the information being collected.
The purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used.
Whether each category of collected personal information is sold or shared.
The length of time the business intends to retain each category of collected personal information, or if that is not possible, the criteria used to determine the period of time it will be retained.
If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing, or in the case of offline notices, where the webpage can be found online.
A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.
If a business collects additional categories of personal information or uses personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, it shall provide the consumer with a new Notice at Collection in accordance with the requirements specified herein.
Colorado General Rule: Opt-out with-exceptions
Exception
The consumer must be provided an opportunity to opt-out of processing the personal data for:
Targeted advertising.
Purposes of profiling.
Sale of personal data.
The controllers must obtain valid consent from the consumer prior to:
Processing a consumer’s sensitive data.
Processing personal data concerning a known child, in which case the child’s parent or lawful guardian must provide consent.
Selling a consumer’s personal data, processing a consumer’s personal data for targeted advertising, or profiling after the consumer has exercised the right to opt out of the processing for those purposes.
Processing personal data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the personal data are processed.
Meaning of Consent
Consent means a clear, affirmative act signifying a consumer’s freely given specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.
The following does not constitute consent:
Acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information,
Hovering over, muting, pausing, or closing a given piece of content and
The agreement is obtained through dark patterns.
Where the controllers request consent to process personal data for more than one processing purpose, and those processing purposes are not reasonably necessary to or compatible with one another, consumers must have the ability to consent separately to each specific purpose. Consent to process personal data for one specific purpose does not constitute valid consent to process personal data for other purposes that are not reasonably necessary to or compatible with that specific purpose.
Consent as a Lawful Ground of Processing
Subject to certain limited exceptions under the law, a data subject's consent is required for the collection, use, and disclosure of personal information.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Colorado Privacy Act 2021.
Any Additional Information
A controller must not use an interface design or choice architecture to obtain required consent that has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making making, or choice or which unfairly, fraudulently, or deceptively manipulates or coerces a consumer into providing consent. Therefore, the controller must consider the following principles when designing a user interface or a choice architecture used to obtain consent:
Consent choice options should be presented to consumers in a symmetrical way that does not impose unequal weight or focus on one available choice over another such that a consumer’s ability to consent is impaired or subverted.
Consent choice options should avoid the use of emotionally manipulative language or visuals to unfairly, fraudulently, or deceptively coerce or steer consumer choice or consent.
A consumer’s silence or failure to take affirmative action should not be interpreted as acceptance or consent.
Consent choice options should not be presented with a pre-selected or default option.
A consumer should be able to select either consent choice option within a similar number of steps. A consumer’s ability to exercise a more privacy-protective option must not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.
A consumer’s expected interaction with a website, application, or product should not be unnecessarily interrupted or intruded upon to request consent.
Consent choice options should not include misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain consent.
The vulnerabilities or unique characteristics of the target audience of a product, service, or website should be considered when deciding how to present consent choice options.
User interface design and consent choice architecture should operate in a substantially similar manner when accessed through digital accessibility tools.
Controllers may consider statutes, administrative rules, and administrative guidance concerning 'dark patterns' from other jurisdictions when evaluating the appropriateness of the user interface or choice architecture used to obtain required consent.
When a consumer has not interacted with a controller in the prior twenty-four (24) months, the controller must refresh the consent of the consumer to continue processing the sensitive data or processing personal data for secondary purposes. However, the controllers are not required to refresh consent where a consumer has access and the ability to update their opt-out preferences at any time through a user-controlled interface
A consumer must be able to refuse or revoke consent as easily and within a similar number of steps as consent is affirmatively provided, and there must be no detriment to a consumer for refusing or withdrawing consent.
A privacy notice must be easily accessible and must be posted online through a conspicuous link using the word “privacy” on the controller’s website homepage or on a mobile application’s app store page or download page. A controller that does not operate a website must make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers.
Controllers must provide a simple form or mechanism to enable a consumer to provide consent when required. Requests for consent must be prominent, concise, separate, and distinct from other terms and conditions, and must comply with all requirements for consumer disclosures.
To obtain consent to process personal data for an opt-out purpose after the consumer has opted out of processing for that purpose:
The controller shall not request consent using schemes that cause constant fatigue, such as interface-dominating cookie banners, high-frequency requests, cookie walls, pop-ups, or any other interstitials that degrade or obstruct the consumer’s experience on the controller’s website or application.
Like all consent interfaces, it must be a simple form or mechanism, and the collection of consent must be through clear and affirmative action, which is freely given, specific, informed, and reflects the consumer’s unambiguous agreement.
A controller may request consent by providing a link to a privacy settings page, menu, or similar interface, or comparable offline method that enables the consumer to consent to the controller processing the personal data for the opt-out purpose, so long as the request for consent meets all other requirements for valid consent. If a controller conspicuously displays the status of the consumer’s opt-out choice on the website, the link to provide consent may appear beside or in conjunction with the consumer’s opt-out status
If the controller has a reasonable belief that the consumer intends to opt back into the sale of personal data or processing of personal data for targeted advertising, the controller may proactively send a link to a privacy settings page or other method directly to the consumer, to enable the consumer to re-consent to the opt-out purpose.
The consent notice must describe the categories of personal data to be processed and the purposes for which they will be processed and explain how and where the consumer may withdraw consent again.
If a consumer has opted out of the processing of Personal Data for the opt-out purposes under the CPA and then initiates a transaction or attempts to use a product or service inconsistent with the request to opt-out, such as signing up for a bona fide loyalty program that also involves the sale of personal data to a bona fide loyalty program partner, the controller may request the consumer’s consent to process the consumer’s personal data for that purpose, so long as the request for consent complies with all legal requirements.
Connecticut General Rule: Opt-out with-exceptions
Exception
The data controller must provide consumers an opportunity to opt-out before processing their personal data for:
Targeted advertising,
Sale of personal data, and
The purpose of profiling is in furtherance of making solely automated decisions that produce legal or similarly significant effects.
The controllers must not process personal data without prior consent in the case of:
Processing sensitive personal data,
Processing personal data for targeted advertising of consumers aged 13 to 16 when their age is known to the controller before processing,
Processing of sensitive data concerning a known child (compliance with the Children's Online Privacy Protection Act also necessary),
Selling personal data when the controller is aware that the consumer is between 13 to 16 years old and
Processing personal data for purposes that are neither reasonably necessary nor compatible with the purposes disclosed to the consumer at the time of initial collection.
Meaning of Consent
Consent means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to the consumer, for a narrowly defined particular purpose.
Consent does not include:
Acceptance of general or broad terms of use or similar document that contains descriptions of personal information processing along with other unrelated information,
Hovering over, muting, pausing, or closing a given piece of content, or
The agreement is obtained through the use of dark patterns.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Consent,
Performance of a contract,
Compliance with a legal obligation,
Protecting an interest that is essential for the life or physical safety of the consumer or another individual,
Performance of a task carried out in the public interest,
Legitimate interests,
Collecting, using, or retaining data for internal use to improve or repair products, services, or technology, effectuate a product recall, or identify and repair technical errors that impair existing or intended functionality,
For reasons of public interest in the area of public health, community health, or population health,
Assist another controller, processor, or third party with the fulfillment of any of the obligations under the CTDPA,
Engaging in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entities,
Preventing, detecting, protecting against, or responding to security incidents, identity theft, fraud, harassment, and malicious activities,
Providing a product or service specifically requested by a consumer, or
Taking steps at the request of a consumer prior to entering into a contract.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Connecticut Data Privacy Act 2023.
Any Additional Information
A data controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:
The categories of personal data processed by the controller,
The purpose of processing personal data,
How consumers may exercise their consumer rights (including their rights to opt-out), including how a consumer may appeal a controller's decision with regard to the consumer's request,
The categories of personal data that the controller shares with third parties, if any,
The categories of third parties, if any, with which the controller shares personal data, and
An active electronic mail address or other online mechanism that the consumer may use to contact the controller.
A controller shall not require a consumer to create a new account in order to exercise their right to opt-out but may require a consumer to use an existing account.
If a controller responds to consumer opt‐out requests by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered for the retention, use, sale, or sharing of the consumer's personal data.
The controllers should provide a clear and conspicuous link on their website to a webpage that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer's personal data.
Not later than January 1, 2025, consumers should be allowed to opt out of any processing of their personal data for the purposes of targeted advertising or sale of such personal data through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller. Such platform, technology, or mechanism shall:
Not unfairly disadvantage another controller,
Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of any processing of such consumer's personal data,
Be consumer-friendly and easy to use by an average consumer,
Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation, and
Enable the controller to accurately determine whether the consumer is a resident of Connecticut and whether the consumer has made a legitimate request to opt-out.
If a consumer's decision to opt-out through an opt-out preference signal sent in accordance with the CTDPA conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with the opt-out preference signal but may notify the consumer of such conflict and provide them the choice to confirm the controller-specific privacy setting or participation in such a program.
Data controllers must provide an effective mechanism for a consumer to revoke their consent, which is at least as effective as the mechanism used to collect the consent initially.
Virginia General Rule: Opt-out with-exceptions
Exception
The controllers must give the consumers the right to opt out of the processing of their personal data for:
Purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer,
Sale of personal data, and
Targeted advertising.
The controllers must not process personal data without prior consent in the case of:
Processing sensitive personal information,
Processing of sensitive data concerning a known child (compliance with the Children's Online Privacy Protection Act also necessary), and
Processing personal information for purposes that go beyond what was reasonably necessary or compatible with the initially disclosed purposes for data processing as disclosed to the consumer.
Meaning of Consent
Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means or any other unambiguous affirmative action.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Consent of the data subject,
Performance of a contract,
Compliance with a legal obligation,
Protection of essential interests for the life or safety of the consumer or another natural person,
Cooperation with law enforcement agencies,
Investigation, establishment, exercise, preparation for, or defending legal claims,
Providing a product or service specifically requested by a consumer,
In connection with dealing with security incidents or protecting security systems,
Engaging in scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an oversight entity,
Assisting another controller, processor, or third party with any of the foregoing obligations,
Conducting internal research to develop, improve, or repair products, services, or technology,
Effectuating a product recall, or
Performing internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Virginia Consumer Data Protection Act 2023
Any Additional Information
A controller or processor shall not be required to comply with an authenticated consumer request to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, if all of the following are true:
The controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data.
The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer.
The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in § 59.1-577 of the US Virginia Consumer Data Protection Act.
Data controllers are required to have an easily accessible, meaningful, and unambiguous privacy policy/privacy notice on their website that informs the consumers of the following:
Categories of personal data being processed by the data controller,
Purposes behind the processing of personal data,
How customers can exercise their personal data rights and appeal the controller's decisions related to these rights,
Categories of personal data collected and shared with third parties and
Categories of third parties that have had access to the collected data.
Vietnam
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
The consent of the data subject is the clear, voluntary, affirmative expression of permission to process the data subject's personal data.
Consent as a Lawful Ground of Processing
The Decree recognizes six legal bases for processing personal data, namely:
Where valid consent for processing personal data is obtained from the data subject;
In cases of emergency where personal data must be processed immediately to protect the life or health of the data subject or others;
Where the personal data is publicly disclosed in accordance with the law;
Where a competent state agency processes personal data:
In a state of emergency relating to national defense and security, social order and safety, major disasters, or dangerous epidemics;
When there is a risk of threat to national security and defense that has not yet reached the level of declaring a state of emergency; or
To prevent and combat riots, terrorism, crimes, and violations of the law;
Where personal data is processed to fulfill contractual obligations of the data subject with relevant agencies, organizations, or individuals as provided by law; and
Where personal data is processed to serve the operations of state agencies as prescribed by specialized laws.
Specific Cookie Consent Requirement
No regulatory guidance specific to the use of cookies is available.
Relevant Legislation
Personal Data Protection Decree (PDPD) 2023.
Any Additional Information
For “valid consent”, there are several conditions that must be met when obtaining it:
The consent must be freely given and fully informed.
The consent must be explicitly and specifically expressed.
When making a request for consent, the controller must list out the types of personal data, the purposes for which consent is sought, organizations and individuals processing personal data, and the rights and obligations of data subjects. The consent applies only to the specific purpose(s) stated. This language suggests that catch-all consent to all purposes is not allowed.
Furthermore, partial or conditional consent is allowed, but silence or lack of response from the data subject does not constitute valid consent.
Consent for processing the personal data of a missing or deceased person may be obtained from the person’s spouse, children, or parents. If none of these individuals are available, valid consent cannot be obtained.
The consent must also be given in a format that can be printed, copied, or verified, meaning that it must be able to be saved and documented for future reference.
European Union
General Rule: Opt-in
Exception
No Exceptions.
Meaning of Consent
Consent must be:
Freely given,
Informed,
Specific, and
An Unambiguous indication of the data subject's wishes.
Consent as a Lawful Ground of Processing
Processing is lawful if and to the extent that at least one of the following applies:
Data subject's consent,
Processing necessary for the performance of a contract with the data subject,
Necessary for compliance with a legal obligation,
Necessary in order to protect the vital interests of the data subject,
Necessary for the public interest or in the exercise of official authority, or
Necessary for the controller's or recipient's legitimate interests, except where overridden by the interests of the data subject.
Specific Cookie Consent Requirement
As per the updated Guidance of the European Data Protection Board on Consent released on 4 May 2020:
Access to a service cannot be made conditional on the user's acceptance to the use of cookies,
Scrolling, swiping, or any other similar action is insufficient to constitute consent for the use of cookies. The Guidance can be accessed here.
A task force created by the EDPB consolidated the following common denominators involved in interpreting the ePrivacy Directive and the GDPR, with respect to cookie banners, by different data protection authorities:
Only consent can be a lawful basis for reading/depositing non-essential cookies.
There must be visually comparable and prominent ‘reject’ and ‘accept’ buttons on the same layer of the cookie banner.
Pre-ticked options are not compliant.
Colors and contrasts for the cookie banner buttons should not be used in a manner that is misleading to users.
Cookies should be accurately classified.
Relevant Legislation
General Data Protection Regulation.
Any Additional Information
Organizations must maintain updated consent records in order to be able to demonstrate compliance as long as the processing is ongoing.
It should be as easy to withdraw consent as it is to give it. There should be easily accessible solutions that allow users to withdraw consent at any time.
As soon as the user opts out or withdraws consent, organizations must delete their personal data, assuming there is no other purpose justifying the continued retention.
Automate Global Consent Compliance with Securiti PrivacyOps
Managing consent is one of the most challenging tasks, especially for organizations with a high volume of user base. Notably, using manual practices for obtaining and managing consent can be costly, inefficient, and erroneous.
Capture and orchestrate universal consent across all your channels and applications with Securiti PrivacyOps, integration of the Data Command Center.
Customize your cookie and consent preference center according to your brand.
Deploy customizable consent collection endpoints integrated with regulatory intelligence.
Automate records of consent for compliance and auditing.
AI regulations have begun coming into effect, making organizations question how best to leverage innovation and legal obligations while retaining users' trust.
China introduces relaxation to its cross-border data transfer regime, enabling organizations to engage in cross-border data transfers with ease. Learn more.