Everything You Need to Know About Consent Banners and Cookie Compliance

September 24, 2021 - Jeff Edwards

Legal definitions of consent vary by law and jurisdiction. But in the context of data privacy and data rights, similarities emerge across legal frameworks. In the broadest terms possible, consent is when a user gives his or her permission for tracking or data processing. However, many laws, like the GDPR, differentiate between valid consent, which is necessary for data processing, and implicit consent, which is considered illegitimate.

Valid consent must be informed, unambiguous, and given freely. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing, without coercion. Equally important, a user who had previously consented must be allowed to withdraw consent at a later time without penalty.

Implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content, or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.

Four Kinds of Consent Banners

Your consent banner approach will largely depend on the regulatory jurisdictions your business operates in. Consent requirements vary widely between different nations, and even between different states. The GDPR in Europe and the PIPL in China have stricter requirements (and harsher penalties) than most. In the US, California’s CCPA is the strictest legislation but is less stringent than GDPR on consumer consent.

For organizations operating internationally, or even transnationally, it’s a good idea to localize consent banners, so that users are always served a banner that is compliant with their local regulation.

We can break down the primary methods of consent delivery into four categories:

Notice-Only Consent

Notice-only consent banners inform users that your website uses cookies, and may or may not inform them of the purpose of the cookies in use, but does not offer the user the ability to opt-out. By continuing to use your website, users are submitting their implicit consent to tracking. This approach is popular in the United States but is not compliant with the consent requirements set forth in the GDPR and similar regulations like the PIPL.

Cookie Wall Consent

A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.

Opt-Out Consent

An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.

Opt-In Consent

An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.

What Makes a CCPA Compliant Consent Banner?

The California Consumer Privacy Act (CCPA) gives California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used but does not require opt-in consent. However, the CCPA requires organizations to provide a “Do Not Sell” button that gives users the option to opt-out of the sale of their personal data.

What Makes a GDPR Compliant Consent Banner?

The General Data Protection Regulation (GDPR) has a much stricter set of consent requirements. A user’s consent must be gathered before any cookies, aside from strictly necessary performance cookies, can be fired. Furthermore, the user must be given information about the specific purpose of each tracking cookie, as well as the data it collects before granting consent. Once the user has granted consent, the data processor must document and store that consent, and enforce the user’s wishes. Finally, it must be possible for the user to withdraw consent at any time.

Beyond Consent: Enforcement is Key

Consent is a crucial piece of global privacy laws like the GDPR, CCPA, LGPD, and PIPL, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Likewise, in GDPR jurisdictions, tracking may not occur prior to opt-in.

Unfortunately, there are many Consent Management Platforms that fall short of this requirement. Most commercial CMP solutions employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected.

This complex network of transmitting preferences is often in and of itself non-compliant as it relies on sending information about a user and their opt-in/opt-out preferences. In our research, we’ve discovered that many CMP implementations often allow first or even third-party cookies to fire even after a customer has opted-out of tracking. This is a clear violation of GDPR guidelines on consent management.

Robust Consent Enforcement with Ensighten CMP+

Truly compliant solutions should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.

Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the users preferences.

If a user has opted out of having her data used for the purposes of analytics, Ensighten does not attempt to integrate to the analytics platform that would otherwise receive data. It does not drop a cookie signaling that the user would prefer not to be tracked.

Instead, Ensighten disables and renders useless any traffic to the analytics company at all, making it impossible for mistakes to happen or for a company to leak information to a third party due to integrations not performing as expected. 

With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted consent banners and give your customers a clear-cut choice on how their data is used, or whether it is collected. And you can enforce those preferences.

Request a demo to see how Ensighten can help your organization meet its compliance goals

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now