The Lower Saxony State Commissioner for Data Protection has published new guidelines and instructions on how a compliant consent layer should look. The most important information is summarized here.
Many consent tools non-compliant
First, the LDF comes to the realization that many GDPR tools are not GDPR-compliant after all. The use of a consent management tool will usually enable the website to be compliant in order to obtain data protection-compliant consent – but it is up to the website operator to configure the tool correctly.
Practical tip: The default settings for consentmanager are already set to the recommended values. If you are unsure how to set up our tool, simply use the default settings.
No data processing prior to consent
The LDF also makes it clear once again that data processing, ie setting cookies and calling up third-party providers, may only take place if consent has been given (e.g. through a consent banner on the website).
Practical tip: Use our Cookie Crawler conformity test to determine that no cookies are set without consent.
Information in the consent layer
In addition, the LDF once again clarifies which information belongs in a consent banner on the website in order to obtain consent in accordance with data protection regulations. These are in particular:
- identity of the person responsible,
- processing purposes,
- the processed data,
- the intention of an exclusively automated decision (Art. 22 Para. 2 lit. c) and
- the intention to transfer data to third countries (Art. 49 para. 1 sentence 1 lit. a)
It is also made clear that the purposes must be specific. Wording like “improving the surfing experience” or “marketing, analysis and personalization” is not sufficient.
The same applies to specifying the partners: it is not sufficient to say that “partners” will process the data – all partners must also be named individually.
Practical tip: The consentmanager already provides most of the required data, but you should check whether the purposes are named sufficiently specifically for your areas of application.
Unambiguous consent and nudging
Finally, the LFD makes it clear that a button must be clearly understandable and clearly labeled. An “Okay” button is not sufficient here and “Accept all” can also be too unclear (if the text does not adequately describe what is accepted).
At the same time, the LFD makes it clear that the so-called “PUR models” (accept advertising or take out a subscription) can be compliant.
The LFD also goes into detail that so-called nudging or dark patterns are not permitted. The point is that the user is consciously or subconsciously pushed to make a decision and thus “free choice” is undermined. This is already the case if, for example, the reject button is designed differently (less conspicuous) or rejection is only possible by clicking on “Settings” or the like.
Practical tip: Always use two buttons (accept and reject) and formulate them clearly.
The complete report of the LFD Lower Saxony can be found here .