📕 A CMP (Consent Management Platform) is a platform allowing to collect user consent for personal data. A CMP register, store and restore consent and transmit it to multiple vendors when necessary. It makes the user experience more fluid and the consent collecting easier.
Nevertheless, Armand Heslot (Privacy & Security Expert from CNIL) reminded recently during an interview for mind Media that using a CMP doesn't necessary mean that you are compliant with GDPR nor that the consent you are obtaining is valid.
What are the different conditions to meet to be compliant when you are collecting user consent thanks to a CMP ?
First, the data protection authority state that the wording you are using must be clear, intelligible, it must be written in simple language allowing users to understand clearly what they are consenting to.
Processing purposes must be clear and written on the first page of the banner. Buttons " I agree", "I disagree" and " I refine my preferences" to allow the user to consent or refuse globally can be visible on the first page, but they must appear after the detailed purposes list. On the second page, you can require consent for each purpose, be careful though, the opt-out boxes are not accepted by CNIL nor the EDPB. The French data protection authority is very clear on the subject in the Vectaury formal demand : "When all the purposes of the collect are notified with opt-out boxes, we can't consider that the user is consenting to anything. Indeed, his action is required to refuse the processing by unchecking the boxes corresponding to each purpose."
Added to that, the data controller names must appear in the first page of the banner. It enables users to give consent knowing the identity of companies collecting their data.
Furthermore, the text mustn't suggest that disagreeing will prevent the user from accessing to the website or will conduct to a payment to access it.
Particular matter with processing geolocation data
When you are collecting geolocation data, you must ask for a specific consent to the user. CNIL reminds in its formal demand that EDPB enforces a specificity of consent that a global acceptation of the user without knowing multiple processing or multiple purposes doesn't satisfy. Mobile Application users doesn't specifically consent to geolocation data processing for profilage and advertisement targetting."
Is collecting consent through scroll or click valid ?
Collecting consent through scroll or click is not accepted anymore by the CNIL as a positive act from the user. The EDPB states that scrolling is not a positive action and can't be considered as consent.
Can analytics cookies be considered as essential ones ?
Be careful, audience measurement cookies such as Google Analytics are not considered as essential ones unless they are respecting some conditions written by CNIL: https://www.cnil.fr/fr/solutions-pour-les-cookies-de-mesure-daudience.
Currently, only two solutions are recognized by CNIL as solutions respecting these conditions. They are AT internet (Xiti) and Matomo. You must ask for user consent when you want to drop such a cookie on his device.
Remind to give to the user the possibility to come back on his consent status or to change his parameters by clicking on a link in the bottom of your page or in your privacy policy.
The buttons "agree" and "disagree" must have the same size and neutral colors.
Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.You must ask him his consent after this delay. Sometimes, Google Analytics cookies lifespan is 24 months by default. You must then, reduce this lifespan. Here is a guide:
Topics you should take caution to when configuring a CMP
- User must know the purpose of data processing, identity of data controller but also data collected for consent to be valid
- Wording used to inform the user must be clear, intelligible, it must be written in simple language allowing users to understand clearly what they are consenting to.
- It must have buttons " I agree", "I disagree" and " I define my preferences" to allow the user to consent or refuse globally can be visible on the first page, but they must appear after the detailed purposes list.
⚠️ This can be different depending on the country: feel free to check out our article about Legal peculiarities on consent in different countries.
- The text mustn't suggest that disagreeing will prevent the user from accessing to the website or will conduct to a payment to access it.
- When you are collecting geolocation data you must ask for a specific consent to the user
- Collecting consent through scroll or click are not accepted anymore by the CNIL as it's not a positive act from the user.
⚠️ This can be different depending on the country: feel free to check out our article about Legal peculiarities on consent in different countries.
- Remind to give to the user the possibility to come back on his consent status or to change his parameters by clicking on a link in the bottom of your page or in your privacy policy.
- The lifespan of user consent for cookies is 6 months. Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.You must ask him his consent after this delay. Sometimes, Google Analytics cookies lifespan is 24 months by default. You must ask him his consent after this duration.
⚠️ This can be different depending on the country: feel free to check out our article about Legal peculiarities on consent in different countries.
- Google Analytics are not considered as essential cookies unless they are respecting some conditions: https://www.cnil.fr/fr/solutions-pour-les-cookies-de-mesure-daudience)