Legal definitions of consent vary by law and jurisdiction. But in the context of data privacy and data rights, similarities emerge across legal frameworks. In the broadest terms possible, consent is when a user gives his or her permission for tracking or data processing. However, many laws, like the GDPR, differentiate between valid consent, which is necessary for data processing, and implicit consent, which is considered illegitimate.
Valid consent must be informed, unambiguous, and given freely. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing, without coercion. Equally important, a user who had previously consented must be allowed to withdraw consent at a later time without penalty.
Implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content, or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.
Four Kinds of Consent Banners
Your consent banner approach will largely depend on the regulatory jurisdictions your business operates in. Consent requirements vary widely between different nations, and even between different states. The GDPR in Europe and the PIPL in China have stricter requirements (and harsher penalties) than most. In the US, California’s CCPA is the strictest legislation but is less stringent than GDPR on consumer consent.
For organizations operating internationally, or even transnationally, it’s a good idea to localize consent banners, so that users are always served a banner that is compliant with their local regulation.
We can break down the primary methods of consent delivery into four categories:
Cookie Wall Consent
A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.
An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.
An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.
What Makes a CCPA Compliant Consent Banner?
The California Consumer Privacy Act (CCPA) gives California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used but does not require opt-in consent. However, the CCPA requires organizations to provide a “Do Not Sell” button that gives users the option to opt-out of the sale of their personal data.
What Makes a GDPR Compliant Consent Banner?
The General Data Protection Regulation (GDPR) has a much stricter set of consent requirements. A user’s consent must be gathered before any cookies, aside from strictly necessary performance cookies, can be fired. Furthermore, the user must be given information about the specific purpose of each tracking cookie, as well as the data it collects before granting consent. Once the user has granted consent, the data processor must document and store that consent, and enforce the user’s wishes. Finally, it must be possible for the user to withdraw consent at any time.
Beyond Consent: Enforcement is Key
Consent is a crucial piece of global privacy laws like the GDPR, CCPA, LGPD, and PIPL, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Likewise, in GDPR jurisdictions, tracking may not occur prior to opt-in.
Unfortunately, there are many Consent Management Platforms that fall short of this requirement. Most commercial CMP solutions employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected.
This complex network of transmitting preferences is often in and of itself non-compliant as it relies on sending information about a user and their opt-in/opt-out preferences. In our research, we’ve discovered that many CMP implementations often allow first or even third-party cookies to fire even after a customer has opted-out of tracking. This is a clear violation of GDPR guidelines on consent management.
Robust Consent Enforcement with Ensighten CMP+
Truly compliant solutions should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the users preferences.
With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted consent banners and give your customers a clear-cut choice on how their data is used, or whether it is collected. And you can enforce those preferences.
Request a demo to see how Ensighten can help your organization meet its compliance goals