Ready for the new Google Consent Mode v2?Jetzt mehr erfahren »

Requirements for consent layers (LFD Lower Saxony)

a laptop computer on a wooden table

The Lower Saxony State Commissioner for Data Protection has published new guidelines and instructions on how a compliant consent layer should look. The most important information is summarized here.

Many consent tools non-compliant

First, the LDF comes to the realization that many GDPR tools are not GDPR-compliant after all. The use of a consent management tool will usually enable the website to be compliant in order to obtain data protection-compliant consent – but it is up to the website operator to configure the tool correctly.

Practical tip: The default settings for consentmanager are already set to the recommended values. If you are unsure how to set up our tool, simply use the default settings.

No data processing prior to consent

The LDF also makes it clear once again that data processing, ie setting cookies and calling up third-party providers, may only take place if consent has been given (e.g. through a consent banner on the website).

Practical tip: Use our Cookie Crawler conformity test to determine that no cookies are set without consent.

Information in the consent layer

In addition, the LDF once again clarifies which information belongs in a consent banner on the website in order to obtain consent in accordance with data protection regulations. These are in particular:

  • identity of the person responsible,
  • processing purposes,
  • the processed data,
  • the intention of an exclusively automated decision (Art. 22 Para. 2 lit. c) and
  • the intention to transfer data to third countries (Art. 49 para. 1 sentence 1 lit. a)

It is also made clear that the purposes must be specific. Wording like “improving the surfing experience” or “marketing, analysis and personalization” is not sufficient.

The same applies to specifying the partners: it is not sufficient to say that “partners” will process the data – all partners must also be named individually.

Practical tip: The consentmanager already provides most of the required data, but you should check whether the purposes are named sufficiently specifically for your areas of application.

Unambiguous consent and nudging

Finally, the LFD makes it clear that a button must be clearly understandable and clearly labeled. An “Okay” button is not sufficient here and “Accept all” can also be too unclear (if the text does not adequately describe what is accepted).

At the same time, the LFD makes it clear that the so-called “PUR models” (accept advertising or take out a subscription) can be compliant.

The LFD also goes into detail that so-called nudging or dark patterns are not permitted. The point is that the user is consciously or subconsciously pushed to make a decision and thus “free choice” is undermined. This is already the case if, for example, the reject button is designed differently (less conspicuous) or rejection is only possible by clicking on “Settings” or the like.

Practical tip: Always use two buttons (accept and reject) and formulate them clearly.

The complete report of the LFD Lower Saxony can be found here .

more comments


Newsletter 02/2024

DSA came into force: Does the Digital Services Act apply to your company?  In our latest article, we look at the critical updates and expanded obligations for more online sites brought about by the Digital Services Act (DSA), a key component of the EU Commission’s ‘Europe fit for the digital age’ initiative. The DSA has […]
Digital Services Act

Does the Digital Services Act (DSA) also apply to your company? Online platforms have additional obligations

The Digital Services Act sets additional transparency requirements for online platforms. The definition of an online platform under the DSA may apply to your business. As a result, you may be required to comply with the additional transparency requirements of the DSA. Read on to find out if your business falls into this category and […]