Data Privacy and Protection: A Guide to Consent Management Best Practices

Suppose your website must comply with the General Data Protection Regulation (GDPR) of the European Union. In that case, you need to think about consent management, whether the LGPD of Brazil, the PDPA of Thailand, or another data privacy law requires consent before you can process personal data.

Before delving into the details of consent management best practices, let’s get straight to why you need that in the first place.

What Does the EU GDPR Require Regarding User Consent?

GDPR is based on the "opt-in" principle, which says that if you have no other legal reason to process a user's personal data, you must get their permission first.

Aside from consent, the GDPR's jurisdiction covers processing, including legitimate interests, a person's vital interests, public interests, the execution of a contract, and compliance with legal obligations.

Only explicit consent is valid. It means that it must be:

• Given freely, which means that giving consent must not be a condition for anything;
• Informed, which means that you have to inform the user about the data processing before collecting consent;
• Specific, which means that you need specific consent for each specific processing purpose;
• Unambiguous, which means that the consent is valid only if the user has taken affirmative action for consenting, such as clicking an ACCEPT button.

If one of these criteria isn't met, you’re in non-compliance and may receive a GDPR fine.

On top of that, you must allow users to withdraw consent as easily as they gave it. If clicking an ACCEPT button was enough to give consent, clicking a WITHDRAW CONSENT button will be enough to meet this requirement.

Remember that when you collect data via cookies, you must obtain consent for every non-essential cookie your website uses. This includes Google Analytics cookies, preferences cookies, advertising pixels, cookies used by social media plugins, and other trackers you use for data collection. Any first-party or third-party cookies are subject to consent as long as they are not essential for the website’s proper functioning.

Read more about the GDPR requirements for cookie banners.

What does the California Consumer Privacy Act (CCPA) require regarding user consent?

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) do not require explicit consent for cookies or consumer data processing. They require you only to show users a privacy notice with information on data collection and tell them what you do with collected data.

In many cases, a link to your privacy would suffice.

On the other hand, California privacy laws say that you need permission from a child's parent or guardian before collecting information about them.

What is consent management?

Consent management is the way you handle obtaining and recording consent. Consent management practice has two main stages: consent collection and records of consent.

We explained above what GDPR-compliant consent collection means. But that’s only half the work needed for GDPR compliance. The other half involves keeping records of consent.

Recital 42 of the GDPR requires you to be able to prove that you have obtained consent from each user. Other data privacy regulations, such as the LGPD, Thailand PDPA, and others, require the same. That’s why you need to keep records of consent. And that’s why you need a consent management tool.

Businesses usually collect consent by using any of the following:

• A custom-built cookie consent banner. Building a custom solution is viable if you have the resources, such as developers and lawyers, to ensure that you collect customer data according to the law.
• A random free cookie banner for WordPress, Squarespace, or any builder website. These are rarely compliant with the laws, and they rarely record consent. They appear on the website and serve no purpose.
• A Consent Management Platform (CMP). You can outsource consent collection to someone else who takes care of your cookie banner being safe, secure, and up-to-date with all the updates to the data privacy regulations.
  

What is a Consent Management Platform (CMP)?

A consent management platform is software that makes it easy to comply with cookie consent rules and keeps you safe from penalties.

As explained before, when a user lands on your website, you must keep your cookies at bay until the user consents. The CMP automates this process and keeps it simple for website operators. When a CMP code is installed on a website, cookies are not deleted. It requests the user's consent instead via a pop-up cookie banner. If the user agrees to use cookies, it allows them to go to the user’s device. No cookies will be used if the user says no or remains silent.

Installing a piece of code and setting it up correctly allows you to follow the data protection laws in different countries easily.

Read more about consent management platforms.

What are the best practices for consent management?

Using a consent management platform is the best practice regarding consent management. It means that you outsource your website compliance to someone who does that professionally and has a big team to ensure that your website and apps remain compliant with the GDPR and other laws.

It allows you to meet the privacy compliance requirements for a small monthly fee while a whole team of developers, UX designers, and lawyers takes care of the compliance of the software. On top of that, CMPs take care of the user experience of your data subjects.

Cookie banners are often lamented for the customer experience, so you must ensure that their design is user-friendly. That’s how you build trust with users. We at Secure Privacy have created multiple designs to accommodate our customers and let them choose a cookie banner that aligns well with their brand and provides a great user experience while collecting user data lawfully.

See some examples of beautiful cookie banner designs and some examples of great cookie banner texts.

Do I need to provide users with a preference management solution?

Providing users with a preference management solution is not mandatory but is a good practice. It allows data subjects to manage their consent preferences at any time. For example, they can withdraw consent for advertising purposes but could let you use Google Analytics cookies.

It will also help you build trust with your customers. They would see that you care for their privacy.

How do I get a consent management solution?

You can sign up for a free trial with Secure Privacy to get a consent management solution and gather personal data in compliance with the GDPR. It is aligned with the IAB Framework and ensures that your website, mobile app, or web app will collect data as the law requires from your business. It comes at a low monthly price.