Ready for the new Google Consent Mode v2? Learn more »

Requirements for consent layers (LFD Lower Saxony)

a laptop computer on a wooden table

The Lower Saxony State Commissioner for Data Protection has published new guidelines and instructions on how a compliant consent layer should look. The most important information is summarized here.

Many consent tools non-compliant

First, the LDF comes to the realization that many GDPR tools are not GDPR-compliant after all. The use of a consent management tool will usually enable the website to be compliant in order to obtain data protection-compliant consent – but it is up to the website operator to configure the tool correctly.

Practical tip: The default settings for consentmanager are already set to the recommended values. If you are unsure how to set up our tool, simply use the default settings.

No data processing prior to consent

The LDF also makes it clear once again that data processing, ie setting cookies and calling up third-party providers, may only take place if consent has been given (e.g. through a consent banner on the website).

Practical tip: Use our Cookie Crawler conformity test to determine that no cookies are set without consent.

Information in the consent layer

In addition, the LDF once again clarifies which information belongs in a consent banner on the website in order to obtain consent in accordance with data protection regulations. These are in particular:

  • identity of the person responsible,
  • processing purposes,
  • the processed data,
  • the intention of an exclusively automated decision (Art. 22 Para. 2 lit. c) and
  • the intention to transfer data to third countries (Art. 49 para. 1 sentence 1 lit. a)

It is also made clear that the purposes must be specific. Wording like “improving the surfing experience” or “marketing, analysis and personalization” is not sufficient.

The same applies to specifying the partners: it is not sufficient to say that “partners” will process the data – all partners must also be named individually.

Practical tip: The consentmanager already provides most of the required data, but you should check whether the purposes are named sufficiently specifically for your areas of application.

Unambiguous consent and nudging

Finally, the LFD makes it clear that a button must be clearly understandable and clearly labeled. An “Okay” button is not sufficient here and “Accept all” can also be too unclear (if the text does not adequately describe what is accepted).

At the same time, the LFD makes it clear that the so-called “PUR models” (accept advertising or take out a subscription) can be compliant.

The LFD also goes into detail that so-called nudging or dark patterns are not permitted. The point is that the user is consciously or subconsciously pushed to make a decision and thus “free choice” is undermined. This is already the case if, for example, the reject button is designed differently (less conspicuous) or rejection is only possible by clicking on “Settings” or the like.

Practical tip: Always use two buttons (accept and reject) and formulate them clearly.

The complete report of the LFD Lower Saxony can be found here .

more comments

Webinar mit Google: Google Consent Mode v2 verstehen und nahtlos integrieren

Webinar with Google: Understanding and seamlessly integrating Google Consent Mode v2

Due to the high demand for information on setting up and dealing with the new requirements of Google Consent Mode v2, consentmanager and Google have organized another webinar on this topic on June 12, 2024. The webinar took place in German. You missed it? No problem! The PDF of the webinar can be downloaded here […]

Newsletter 05/2024

New integration for Slack, MS Teams and more With the current update, a new integration function for Slack, MS Teams, Zapier and n8n is now available in the system. The function conveniently notifies you in Slack, Teams or any other tool about important changes and news (e.g. new cookies found) in your CMP account. You […]