215 Matching Annotations
  1. Last 7 days
  2. May 2020
    1. Organizations must be transparent on the purpose of the data collection and consent must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms)
    2. In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show: when consent was provided;who provided the consent;what their preferences were at the time of the collection;which legal or privacy notice they were presented with at the time of the consent collection;which consent collection form they were presented with at the time of the collection.
    3. Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.
    4. Keeping comprehensive records that include a user ID and the data submitted together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use on that date.
    1. Many also question how the average user with little knowledge of the GDPR will react to being asked so many questions regarding consent. Will they be confused? Probably at first. It will be up to each business to create a consent form that is easy to understand, while being at the same time comprehensive and informative
    2. Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. An example is clicking through an opt-in box or choosing settings from the menu. Pay attention to not have pre-ticked boxes on the consent form!
    1. The GDPR requires consent to be opt-in. It defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”
    1. These options have almost deceptively similar wordings, with only subtle difference that is too hard to spot at a glance (takes detailed comparison, which is fatiguing for a user):

      1. can use your browser’s information for providing advertising services for this website and for their own purposes.
      2. cannot use your browser’s information for purposes other than providing advertising services for this website.

      If you rewrite them to use consistent, easy-to-compare wording, then you can see the difference a little easier:

      1. can use your browser’s information for providing advertising services for this website and for their own purposes.
      2. can use your browser’s information for providing advertising services for this website <del>and for their own purposes</del>.

      Standard Advertising Settings

      This means our ad partners can use your browser’s information for providing advertising services for this website and for their own purposes.

      Do Not Share My Information other than for ads on this website

      This means that our ad partners cannot use your browser’s information for purposes other than providing advertising services for this website.

    1. The iubenda Cookie Solution features a JS API for easy interaction with some of its main functions.
    2. In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.
    1. In practice, the TCF provides a standardized process for getting users’ informed consent and allows the seamless signaling of users’ s consent preferences across the advertising supply chain.
    1. Sure, anti-spam measures such as a CAPTCHA would certainly fall under "legitimate interests". But would targeting cookies? The gotcha with reCAPTCHA is that this legitimate-interest, quite-necessary-in-today's-world feature is inextricably bundled with unwanted and unrelated Google targeting (cookiepedia.co.uk/cookies/NID) cookies (_ga, _gid for v2; NID for v3).
    2. Many 3rd parties has some magic parameter which blocks the cookie, but doesn't block the functionality of the element, and I'm looking for something like that. For example brightcove player has a data attribute. Video is working, cookies are not set.
    1. Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
    2. Make it clear that signing up is optional. Consent must be “freely given”; you may not coerce users into joining your mailing list or make it appear as if joining the list is mandatory. For this reason, you must make it clear that signing up is optional. This is especially relevant in cases where you offer free white-papers (or e-books) for download. While the user’s email address is required for the delivery of the service, signing up for your newsletter is not. In such a case, you must not make it appear as if signing-up to the newsletter list mandatory and must make it clear that it is optional.

      Question (answer below)

      Are they saying that it's not allowed to make signing up for a mailing list a precondition/requirement for anything? This was surprising to me.

      So if you have a newsletter sign-up page that sends a digital bonus gift (like an e-book) to new subscribers, are required to completely change/repurpose your "newsletter sign-up page" into a "download e-book page" (that has an optional checkbox to also sign up for the newsletter, if you want)? That seems dumb to me, since it requires completely reversing the purpose of the page — which was, in my mind, primarily about signing up for the newsletter, with a bonus (an essentially optional one) thrown in for those who do so. Are you required to either repurpose it like that or remove the free bonus offer that would be sent to new subscribers?

      The irony of this is that it requires websites that have a newsletter sign-up page like that to change it into a "newsletter sign-up page" where the newsletter sign-up part is optional. Which make you look kind of stupid, making a page that claims to be one thing but doesn't necessarily do what it says it's for.

      Does this mean, in effect, that you may not lawfully provide any sort of incentive or reward for signing up for something (like a mailing list)? As long as it's very clear that some action is required before delivery of some thing, I don't see why this sort of thing should not be permitted? Would this fall under contract law? And as such, wouldn't such a contract be allowed and valid? Are mailing lists a special class of [service] that has special requirements like this? Or is it part of a broader category to which this requirement applies more generally?

      Why is requiring the user to provide an email address before they can download a digital reward allowed but not requiring signing up to a mailing list? Why isn't it required that even the email address be optional to provide? (To answer my own question, probably because it's allowed to allow a user to request a specific thing to be sent via email, and an email address is required in order to fulfill that request. But...) It seems that the website could just provide a direct link to download it via HTTP/FTP/etc. as an option for users that chose not to provide an email address. (But should they be required to provide that option anytime they / just because they provide the option to have the same thing delivered via email?)

      Answer

      Looks like my question was answered below:

      Explicit Form (where the purpose of the sign-up mechanism is unequivocal). So for example, in a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.

      So the case I described, where it is made very clear that the incentive that is offered is conditional on subscribing, is listed as an exception to the general rule. That's good; it should be allowed.

    3. there’s no need to send consent request emails — provided that this basis of processing was stated in your privacy policy and that users had easy access to the notice prior to you processing their data. If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.
    4. Here’s why sending GDPR consent emails is tricky and should be handled very carefully.
    5. In cases where you want to send more than one type of email to your users, you’re required to get additional consent specific to those uses as you must have multiple consents for multiple purposes.
    6. In the case of DEM communications, you must obtain additional consent if also sending emails about third-party products/services in addition to your own.
    7. Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
    1. To ensure that this information is conveyed in a manner that remains clear, concise and not unnecessarily disruptive, the use of layered and just-in-time notices should be favored. However, it is important to note that the initial layer contain all of the key information needed for there to be an informed choice.
    2. Consent receipt mechanisms can be especially helpful in automatically generating such records.
    3. it has been inferred by many that the validity of consent could degrade over time
    4. make it as easy to withdraw consent as to give it. The latter gets particularly interesting when considering that in some contexts, consent may be obtained “through only one mouse-click, swipe or keystroke” and therefore “data subjects must, in practice, be able to withdraw that consent equally as easily” per the WP29.

      It seems, then, that one should be careful to not make it too easy to opt in to something unless you are prepared to accept the liability for making it just as easy to opt out (which may be technically challenging).

    5. it is a question of balance — if one mouse-click was all it took to consent, is it appropriate to require a phone call during business hours to withdraw that consent? Probably not.
    6. you may consider using tools that provide visibility into your organization’s various processing activities and how they change over time, allow for reminders to be set for refreshing consent at regular intervals, and that provide data subjects with the ability to directly control their consent preferences.
    7. Where a processing activity is necessary for the performance of a contract.

      Would a terms of service agreement be considered a contract in this case? So can you just make your terms of service basically include consent or implied consent?

    8. “Is consent really the most appropriate legal basis for this processing activity?” It should be taken into account that consent may not be the best choice in the following situations:
    1. “Until CR 1.0 there was no effective privacy standard or requirement for recording consent in a common format and providing people with a receipt they can reuse for data rights.  Individuals could not track their consents or monitor how their information was processed or know who to hold accountable in the event of a breach of their privacy,” said Colin Wallis, executive director, Kantara Initiative.  “CR 1.0 changes the game.  A consent receipt promises to put the power back into the hands of the individual and, together with its supporting API — the consent receipt generator — is an innovative mechanism for businesses to comply with upcoming GDPR requirements.  For the first time individuals and organizations will be able to maintain and manage permissions for personal data.”
    2. CR 1.0 is an essential specification for meeting the proof of consent requirements of GDPR to enable international transfer of personal information in a number of applications.
    3. Much like a retailer giving a customer a cash register receipt as a personal record of a purchase transaction, an organization using CR 1.0 will create a record of a consent transaction and give it to the individual. This transaction record is called a consent receipt.
    4. CR 1.0 can be used by people to communicate consent and the sharing of personal information once it is provided.
    5. Its purpose is to decrease the reliance on privacy policies and enhance the ability for people to share and control personal information.
    6. Kantara’s CR 1.0 specification provides a common standard digital format for providing a record to consumers about privacy and what people have consented to.  The creation and implementation of this standardized format will promote consistent, machine and human understandable consent practices, support consent management interoperability between systems internationally and enable proof of scalable consent.
    1. It’s useful to remember that under GDPR regulations consent is not the ONLY reason that an organization can process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. However, there will always be data processing activities where consent is the only or best option.
    1. Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
    2. Under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
    3. The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.
    4. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

      I'm not sure I agree with this:

      [the technical cookies] are explicitly requested by the user when they indicate that they would like to add the item to the cart.

      The only thing they requested was that the item be held in a cart for them. They didn't explicitly request that cookies be used to store information about items in the cart. They most likely don't understand all of the options for how to store data like this, and certainly wouldn't know or expect specifically that cookies be used for this.

      In fact, localStorage could be used instead. If it's a single-page app, then even that would be necessary; it could all be kept in page-local variables until they checked out (all on the same page); such that reloading the page would cause the cart data held in those variables to be lost.

    5. Consent to cookies can be provided by several actions. Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page. In many cases, clicking on “ok”, closing the banner or continued navigation of a cookie-installing website can be considered active consent to the placing of cookies — provided that users had been previously and clearly informed about this consequence.
    6. The question is: do you have to treat the consent to the use of cookies the same way as the “regular” consent to specific data processing activities e.g. sending out newsletters?
    1. Finally, if none of the above-mentioned options seems viable, you have to collect your Users’ consent to transfer their data outside of the EU. This is the most complicated scenario, because you have to make sure that their consent is – among other aspects – “informed”. Do you really know what is going to happen to User data once they are exported outside the EU? Can you tell, what kind of security measures are being provided by the local legislation or adopted at the data importer’s initiative to ensure protection of personal data? If you’re able to provide such information, you may ask your Users to consent to the transfer of personal data, but if you’re not able to provide it, be careful: any consent collected would not be considered “informed” and therefore void.
    1. Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.
    1. However, please note the following: it will depend on how those subdomains are defined. Are they just subsections of a project that belongs together like help.example.com or blog.example.com (and many other possible arrangements that are part of one and the same setup)? In such a case, using the same policy is appropriate. Problems arise when completely different projects which have little to do with one another and whose data collection practices also differ so significantly that they require different privacy policies.
  3. Apr 2020
    1. For instance, one recent blog entry from the Irish Data Protection Commission discussing events at schools borders on the absurd:“Take the scenario whereby a school wants to take and publish photos at a sports day ­– schools could inform parents in advance that photographs are going to be taken at this event and could provide different-coloured stickers for the children to wear to signify whether or not they can be photographed,” the Commission suggested. The post goes on to discuss the possibility of schools banning photographs at a high school musical, but suggests that might be unwieldy.
    2. “In the end, GDPR is all about consent and it’s an approach to privacy that is very European,” said Kagan. “That’s not a mistake. It’s a values statement.”
    3. The actual process is something we still need to work on so we don’t get consent fatigue.
    4. It would be a full-time job to protect your privacy in a notice and consent model.”
    5. Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices.
    6. consumers become blind to an avalanche of privacy pop-up notices
    1. Currently, there is a high frequency of consent requests, privacy notices, cookie banners or cookie policies on every visited website. As a consequence of consent abuse, individuals resent a fatigue, resulting in consent loosing its purpose.
    2. This way, personal data is more effectively protected allowing individuals to focus on the risk involved in granting authorization for the use of their personal data and to take appropriate decisions based on the risk assessment. Consequently, the burden and confusion generated by systematic consent forms is constrained.

      Speaking of confusing, this paragraph is confusing and unclear.

      I think what they're basically saying is, don't ask for consent for every single little thing; only ask for consent when there is a real risk involved, so that people don't get desensitized to you asking for consent for every little thing, even things that they probably don't care about.

      Key word:

      systematic consents

    3. Third, the focus should be centered on improving transparency rather than requesting systematic consents. Lack of transparency and clarity doesn’t allow informed and unambiguous consent (in particular, where privacy policies are lengthy, complex, vague and difficult to navigate). This ambiguity creates a risk of invalidating the consent.

      systematic consents

    4. If the PIA identifies risks or high risks, based on the specific context and circumstances, the organization will need to request consent.
    5. U.K. Information Commissioner Elizabeth Denham clearly states that consent is not the "silver bullet" for GDPR compliance. In many instances, consent will not be the most appropriate ground — for example, when the processing is based on a legal obligation or when the organization has a legitimate interest in processing personal data.
    6. data processing limited to purposes deemed reasonable and appropriate such as commercial interests, individual interests or societal benefits with minimal privacy impact could be exempt from formal consent. The individual will always retain the right to object to the processing of any personal data at any time, subject to legal or contractual restrictions.
    7. organizations may require consent from individuals where the processing of personal data is likely to result in a risk or high risk to the rights and freedoms of individuals or in the case of automated individual decision-making and profiling. Formal consent could as well be justified where the processing requires sharing of personal data with third parties, international data transfers, or where the organization processes special categories of personal data or personal data from minors.
    8. This will avoid overburdening with too much information every time they access a website, navigate across the internet, download an application, or purchase goods and/or services. This may result in a certain degree of consent fatigue.
    9. Furthermore, the consent-based regime creates an obligation to document that consent was lawfully given.
    10. the French CNIL has reminded that consent has to be given at the time of data collection, has to be specific, and cannot be passed to another controller through a contractual relationship; it could not be bundled.
    1. Allows you to autodetect and limit prior-blocking and cookie consent requests only to users from the EU – where this is a legal requirement – while running cookies scripts normally in regions where you are still legally allowed to do so.
    2. Enables the blocking of scripts and their reactivation only after having collected user consent. If false, the blocked scripts are always reactivated regardless of whether or not consent has been provided (useful for testing purposes, or when you’re working on your project locally and don’t want pageviews to be counted). We strongly advise against setting "priorConsent":false if you need to comply with EU legislation. Please note that if the prior blocking setting has been disabled server side (via the checkbox on the flow page), this parameter will be ineffective whether it’s set to true or false.
    1. Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments
    1. You can change your browser settings to refuse cookies and delete them at any time. If you continue to use this site without taking action to prevent the storage of this information, you are effectively agreeing to this use.
    1. The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
    1. Google's move to release location data highlights concerns around privacy. According to Mark Skilton, director of the Artificial Intelligence Innovation Network at Warwick Business School in the UK, Google's decision to use public data "raises a key conflict between the need for mass surveillance to effectively combat the spread of coronavirus and the issues of confidentiality, privacy, and consent concerning any data obtained."
  4. Mar 2020
    1. One MailChimp user tweeted this week that it seems the EU has "effectively killed newsletter with GDPR." He said he sent "get consent" emails through MailChimp and reported these numbers: 100 percent delivery rate, 37 percent open rate, 0 percent given consent.
    2. The re-consent campaigns have also been recognized as a practical pain from some in the thick of it. It's causing angst amongst email weary customers and prospects, consent fatigue and even some legal issues
    3. “But, if you’re unsure or haven’t mapped out entirely your processing activities,” he said, “it’s impossible to accurately reflect what your users or clients are consenting to when they complete a consent request.”
    4. “It is unfortunate that a lot of companies are blindly asking for consent when they don’t need it because they have either historically obtained the consent to contact a user,” said digital policy consultant Kristina Podnar. “Or better yet, the company has a lawful basis for contact. Lawful basis is always preferable to consent, so I am uncertain why companies are blindly dismissing that path in favor of consent.”
    1. Practical examples Below are examples of commonly used scripts and guidance on how to modify them as to comply with cookie law.
    2. If other third-party tools guarantee not to use cookies, perhaps by providing specific configuration options, they too can be considered to be exempt from prior blocking. This is the case namely with YouTube, which provides a specific feature to prevent the user from being tracked through cookies.
    3. This depends on the legal jurisdiction applicable to your site. In Europe, you’re legally required to block cookie scripts until user consent is obtained. All cookies must be blocked except for those that are exempt.
    4. Technical cookies, preference, session and optimization cookies
    1. These records should include a userid, timestamp, consent proof, record of the consenting action, and the legal documents available to the user at the time of consent, among other things.
    1. Now, if you intend to serve personalized ads to users, you’ll need to ensure that explicit consent to ad personalisation is collected before you can display personalised ads for end-users (where this consent is not collected, Google will default to serving non-personalized ads, potentially impacting your ad revenue).
    1. to be fully compliant, this leads to having to check for consent on every request server-side, which is not cacheable/scalable at all. Maybe having caches vary on consent-related properties of a request would solve that, but not without an explosion in cache storage requirements (if nothing else) and nightmares when it comes to cache invalidation(s).
    2. To complicate things further, if you classify your social-sharing-plugins-usage as required functionality, and those need to set their own 3rd party cookies (as they themselves classify those as required), hello to 3rd party cookies being set by default and no way for users to opt-out (except by turning them off via browser, which means the whole thing is redundant, might as well just instruct users to disable third party cookies if they don't want to participate in social sharing crap?)
    3. this website claims the cookie stuff will be a responsibility of the browser, not the website, which would make live easier for web devs.
    1. An example of an extended consent form that allows users to give consent in a more granular manner – i.e. selectively for a number of processing purposes (analytics, remarketing or content personalization)
    2. A single consent form is useful when consent is requested for a single purpose. Here: analytics

      This seems like an important distinction:  Probably (?) you can only use a simple Agree/Disagree consent request if you only have a single purpose/category that you are obtaining consent for.

      As soon as your site has multiple categories to need consent, then you must allow individual consent/refusal of consent for each individual category/purpose.

      This is alluded to just a little bit further on:

      Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.

    3. Asking for consent when processing users’ personal data is one of the most important duties imposed on website owners by the GDPR.
    1. Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.
    2. it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties**”
    3. Our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools.
    4. This means or mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent.
    5. It’s worth noting here that the Italian Data Protection Authority (the Garante Privacy) specifically recognizes “performing a scrolling action” and “clicking on one of the internal links of the page” as valid indications of affirmative consent. Italy’s electronic data laws are fairly robust so in all likelihood, it should be fine to apply this, but because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. For this reason, we give you the option to easily disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.

      Interesting. Most things I've read seem to suggest that wouldn't be sufficient action to imply consent.

    6. The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.
    7. these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued-browsing methods as the former is less likely to be performed by user error.
    8. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies.
    9. Prior to consent, no cookies — except for exempt cookies — can be installed
    10. To further illustrate this point, imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
    1. illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems
    2. small portion of sites (~7%) entirely ignore responses to cookie pop-ups and track users regardless of response.
    3. open source browser extension that can automatically answer pop-ups based on user-customizable preferences.It’s called Consent-o-Matic — and there are versions available for Firefox and Chrome.
    4. majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one
    1. A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.
    2. it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.
    1. On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the "strictly necessary" category. You'll need to get consent before you use them.
    2. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.
    3. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.
    1. Here are the top consent management platforms platforms, with comparisons around look, feel, and functionality.
    2. Another value-add of CMP tech is that it can sniff the user's location and show the prompt just to EU residents. This helps to comply with the law while not intruding on non-EU user experiences.
    3. haven’t consent tools been around for a while? Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide. These tools are still around, and many sites continue to use them under the GDPR. However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
    4. Consent Management Platforms (CMPs), an advertising tech tool for collecting user consent and passing that data to downstream ad partners
    1. Decision point #2 – Do you send any data to third parties, directly or inadvertently? <img class="alignnone size-full wp-image-10174" src="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png" alt="GDPR cookie consent flowchart" width="1451" height="601" srcset="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png 1451w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-300x124.png 300w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-981x406.png 981w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-761x315.png 761w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-611x253.png 611w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-386x160.png 386w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-283x117.png 283w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-600x249.png 600w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1024x424.png 1024w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-50x21.png 50w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-250x104.png 250w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-241x100.png 241w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-400x166.png 400w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-350x145.png 350w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-840x348.png 840w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-860x356.png 860w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1030x427.png 1030w" sizes="(max-width: 1451px) 100vw, 1451px" /> Remember, inadvertently transmitting data to third parties can occur through the plugins you use on your website. You don't necessarily have to be doing this proactively. If the answer is “Yes,” then to comply with GDPR, you should use a cookie consent popup.
    1. If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.
    1. the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract
    2. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
    1. Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

      They seem to claim (or hope that their description will make you think) that ‘NID’ is only used for storing preferences, but if you read further down, you see that it's also used for targeting.

      These should be separate cookies since they have separate purposes, and since under GPDR we have to get separate consent for each purpose of cookie.

    2. You can view and manage cookies in your browser (though browsers for mobile devices may not offer this visibility).
    1. YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.
    1. The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.
    1. You still have to use a Cookie Notice, if you’re planning to collect data that can identify an individual within the EU, or
    1. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
    2. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
    3. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    4. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
    1. Out of 508 manually analysed websites that provide a way to opt out, we detected 39 websites where the banner stores a positive consent, even if the user explicitly refuses consent via the cookie banner.
    2. For large-scale analysis of websites, we have implemented a crawler, called Cookinspect, based on a Selenium-instrumented Chromium, that detects what consent cookie banners store in the user's browser.
    3. The primary goal of Cookie glasses extension is to empower the end users and Data Protection Authorities to investigate websites and detect when the consent stored by the website does not correspond to the choice made by the user.
    1. saying they give people all the controls they need to manage and control access to their information. But controls with dishonest instructions on how to use them aren’t really controls at all. And opt outs that don’t exist smell rather more like a lock in. 
    1. By default, your users will be asked for their consent on each of your domains and sub domains since Cookiebot treats domains and sub domains separately. By enabling the Bulk Consent feature, however, your users will only be prompted for a consent the first time they visit any one of your websites (and again after 12 months when the consent needs to be renewed).
    1. Very few solutions include all of the GDPR required features like: 1) Enabled prior consent. 2) Clear and specific information about data types and purpose of the cookies. 3) Full documentation of all given consents. 4) The possibility for users to reject superfluous cookies and still use the website. 5) The possibility that users can withdraw their consent whenever they want. Cookie solutions that don’t have those features are not GDPR compliant.
    2. It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.