Don‘t bring a 2018 consent dialog to the Europe of 2023

Ever wonder why some consent dialogs (or “cookie banners”) have a “reject all” button, while others don‘t? The answer requires a little European history. Don‘t worry, we won‘t have to go back too far, just five years or so, to 2018. That‘s when the countries of the European Union began enforcing the General Data Protection Regulation (GDPR), which at the time was a groundbreaking change in how any company doing business in Europe has to approach user privacy.

In the early days of GDPR, web publishers, along with the service providers who help their sites work, were still trying to understand the law. Companies came up with a variety of interpretations. Some companies took a cautious approach to confirming consent for everything. Some sites blocked European users entirely. Some companies decided that certain uses of personal data did not require consent at all. But many web publishers and consent management platforms settled on a common pattern for consent dialogs: one easy button to click to consent to everything, along with another button that starts a more complicated process to deny consent.

In hindsight, looking back to 2018, many sites took approaches to GDPR compliance that, now that we understand the GDPR better, don‘t seem to hold up anymore. Since the early days, two big changes have affected our understanding of the GDPR. First has been the emergence of helpful sites like Intersoft Consulting‘s gdpr-info.eu, along with documentation offered by consent management platforms (CMPs) and other service providers. It has gotten a lot easier to understand what the GDPR requires of you—whether you operate a website, a service provider, or some other kind of company. For example,

Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

The other big change happened when a privacy organization called NOYB organized a campaign to notify sites of out-of-compliance consent dialogs, and then follow up with official complaints about sites that failed to bring their consent dialogs into compliance. Most companies who got a notice just fixed their consent dialogs on their own. But NOYB did end up filing a stack of complaints with Data Protection Authorities (DPAs), which are the national regulators responsible for enforcing the GDPR. Several DPAs have responded by issuing guidance for their own countries on how to make a GDPR-compliant consent dialog.

The guidance from Germany is Cookies und Tracking – Hilfestellung für Betreiber von Internet-Angeboten (summary in English at Cookie Update: New Cookie Rules in Germany – New Guidelines of the German Supervisory Authorities). The regulatory agency in France explains their policy in Refusing cookies should be as easy as accepting them: the CNIL continues its action and issues new orders. The most obvious feature of a compliant consent dialog for France and Germany is that it has equally easy ways to give consent and refuse consent. Recently, as reported in TechCrunch, the European Data Protection board issued a draft report on how consent dialogs can comply with the GDPR. The advice in that report is similar. While the DPA decisions apply only at the national level, and the report is still at the draft stage, more and more sites with consent dialogs are adding equally easy ways to consent and refuse.

How are we managing it for publishers? It‘s a two-part task. First, we keep up with changes to the regulations as they happen. Second, we configure the consent management platform—the software that creates the consent dialog and passes consent information to other software—to match the regulations as they apply in each country. CafeMedia applies the best available consent settings, so the dialog may look different from country to country. Currently, not all EU countries require the same options, but that may change in the near future. Keeping up with the latest in European privacy trends can be a big deal, but it is one of many tasks that we handle for publishers.