Ready for the new Google Consent Mode v2? Learn more »
News

Requirements for consent layers (LFD Lower Saxony)


a laptop computer on a wooden table

The Lower Saxony State Commissioner for Data Protection has published new guidelines and instructions on how a compliant consent layer should look. The most important information is summarized here.

Many consent tools non-compliant

First, the LDF comes to the realization that many GDPR tools are not GDPR-compliant after all. The use of a consent management tool will usually enable the website to be compliant in order to obtain data protection-compliant consent – but it is up to the website operator to configure the tool correctly.

Practical tip: The default settings for consentmanager are already set to the recommended values. If you are unsure how to set up our tool, simply use the default settings.

No data processing prior to consent

The LDF also makes it clear once again that data processing, ie setting cookies and calling up third-party providers, may only take place if consent has been given (e.g. through a consent banner on the website).

Practical tip: Use our Cookie Crawler conformity test to determine that no cookies are set without consent.

Information in the consent layer

In addition, the LDF once again clarifies which information belongs in a consent banner on the website in order to obtain consent in accordance with data protection regulations. These are in particular:

  • identity of the person responsible,
  • processing purposes,
  • the processed data,
  • the intention of an exclusively automated decision (Art. 22 Para. 2 lit. c) and
  • the intention to transfer data to third countries (Art. 49 para. 1 sentence 1 lit. a)

It is also made clear that the purposes must be specific. Wording like “improving the surfing experience” or “marketing, analysis and personalization” is not sufficient.

The same applies to specifying the partners: it is not sufficient to say that “partners” will process the data – all partners must also be named individually.

Practical tip: The consentmanager already provides most of the required data, but you should check whether the purposes are named sufficiently specifically for your areas of application.

Unambiguous consent and nudging

Finally, the LFD makes it clear that a button must be clearly understandable and clearly labeled. An “Okay” button is not sufficient here and “Accept all” can also be too unclear (if the text does not adequately describe what is accepted).

At the same time, the LFD makes it clear that the so-called “PUR models” (accept advertising or take out a subscription) can be compliant.

The LFD also goes into detail that so-called nudging or dark patterns are not permitted. The point is that the user is consciously or subconsciously pushed to make a decision and thus “free choice” is undermined. This is already the case if, for example, the reject button is designed differently (less conspicuous) or rejection is only possible by clicking on “Settings” or the like.

Practical tip: Always use two buttons (accept and reject) and formulate them clearly.

The complete report of the LFD Lower Saxony can be found here .


more comments

Cookie-Crawler - Standalone-Tool
General, News

Newsletter 11/2024

Cookie Crawler now also available as a standalone tool Our Cookie Crawler is now even more versatile and flexible! From now on, you can also use it as a standalone tool – without having to create a CMP. The standalone option is useful for customers who do not (yet) want to switch their cookie banner […]
consentmanager Cookie-Audit Grafik

Cookie Audit for Websites: Manually or with a Cookie Scanner

As a website owner, you are responsible for your users’ information that is collected and stored by cookies on your website. Any cookie active on your site can potentially cause privacy issues, especially if it is not used for its intended purpose or, more critically, if it is stored in your users’ browsers without their […]