This is especially true after the GDPR came into effect, as it provides specific requirements for the legal basis of consent, which also applies to the processing of non-necessary cookies. Reason being, that these text files that our devices read and write upon interacting with a website, oftentimes include information that, once associated with your interactions, is categorised as personal data: such as IP addresses, username, unique identifier codes or even email addresses and metadata.  

That is where Consent Management Platforms (CMP) come into play. They can be described as systems by third-party vendors that help controllers manage users’ cookie preferences and help them meet their transparency obligations under data protection laws. It is thus very likely that when anyone visits any website and a cookie pop-up appears, that is managed by a CMP. You might be familiar with some of the following: OneTrust, Quantcast or Cookiebot.

What are dark patterns and how do they relate to cookies? 

A CMP that relies on the IAB Europe Transparency and Consent Framework Policies (IAB TCF) is required to meet several criteria. However, these mostly refer to the need to include the purposes and features of the cookies. Thus, they are provided a relative amount of freedom in terms of design of cookie banners and consent pop-ups. 

Several studies conducted on the standard templates that CMPs offer, show that many of the designs provided actually hide manipulative strategies intended to sway users into providing consent. These designs are often referred to as dark patterns. 

Some common types dark patterns in the context of cookie banners are known as interface interference and sneaking. An example for the former is presenting the “Accept all” option on top of a banner, whilst the “Reject all” option can only be found after scrolling down, also labelled as false hierarchy.

Another example of false hierarchy is drawing attention to the desired choice, in comparison to the opther options. For instance, the “Accept all” option might be brightly colored or stand out from the background. Meanwhile, the “Reject” or “Settings” options, will oftentimes the same color of the background of the cookie banner, rendering it less noticeable.

Meanwhile, sneaking refers to the hiding of the relevant information, usually behind a far less visible and unformatted link. This is commonly designed with a smaller text providing “more options” or “manage settings” in the corner of the banner, which then allows the user to gain more information and finally reject all cookies. 

Read more about other types of dark patterns in the article “The Dark (Patterns) Side of UX Design” from Purdue University, IN.

Does the GDPR or ePrivacy Directive prohibit the use of Consent Management Platforms? 

There is no direct mention of CMPs or dark patterns in the GDPR or the ePrivacy Directive, which directly governs the use of cookies. Nonetheless, one can still draw some conclusions based on the consent requirements under the GDPR. For example: Article 7(4) GDPR states that withdrawing consent should be as easy as providing it. Thus placing the options on unequal level, as for the case of false hierarchy designs, would be a non-compliant approach. Case law also confirms this: The Advocate General in the case of Planet49 specifically mentions that for consent to be valid, the options to reject and accept should be placed “optically on the same footing.”

Despite these academic findings and conclusions, the use of CMPs has but increased since the GDPR came into force. To add to that, data protection authorities deem CMPs an appropriate tool to use when a compliant design is rolled out. Important to note though, is that CMPs cannot be compliant until they start assuming their data controller or joint controller obligations (GDPR Art 24 and 26, respectively). This was highlighted in the recent €250.000 fine awarded by the Belgian supervisory authority to IAB Europe.

Thus, whilst the use of CMPs is not prohibited, it is always best to take into account that not all of their template designs might actually reflect the requirements for valid consent. Therefore, increasing the possibility that the cookie banner will be deemed non-compliant.

What does a compliant cookie banner look like? 

Under the the framework provided by GDPR Article 7 and Recital 32, consent must be “freely given, specific, informed and an unambiguous indication of agreement”. Ideally, a compliant cookie banner should reflect all of those exactly, and should avoid the dark patterns described above, which likely contradict the freely-given nature of consent. 

As a practical example, in 2022, NOYB, the non-profit presided by Max Schrems, the activist of international fame, placed 226 complaints with data controllers over cookie banners rich in dark patterns, arguing that the only compliant option was to outright offer a accept all and reject all button. Therefore, a good starting point would be to ensure both options are provided and equally accessible, by designing the “Accept” and “Reject” buttons to look identical and perhaps even placed side-by-side on the banner.

Lastly, when implementing a banner design, consider the more stringent requirements in terms of design, such as the prohibition of pre-ticked boxes, and the requirements around requesting unambiguous consent, rather than accepting scrolling as having accepted the use of cookies. 

To recap, when providing cookies, there are several interests and legal requirements that website operators, as data controllers, need to balance before considering Consent Management Platforms as the ideal solution. Studies have shown that many of the current cookie banner designs provided by these platforms, still place more weight on gaining consent rather than ensuring compliance. This is not surprising, considering that CMPs are in the business of selling software solutions to a problem many marketing teams refuse to fully grasp. 

The existence of “dark patterns” in consent pop-ups is perceived by everyone yet not often discussed. For implementers, it is understandably tempting to place full trust on a CMP’s design and overlook the details and turn on options that actually render their banner non-compliant. However, being mindful of the flaws in the designs that Consent Management Platforms offer, and knowing how to avoid dark patterns, might be the only way to ensure that a cookie banner or consent pop-up is fully compliant with the GDPR, that way, your time and money are not a complete waste.

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains marketing and procurement teams in understanding data protection requirements and offers an online training course for software developers, system engineers and product owners.

The post Consent Management Platforms’ misleading cookie banner designs: how to recognize and avoid dark patterns appeared first on TechGDPR.

Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor’s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data?

With lots being said about the GDPR signalling death of sales and marketing as we know it, it’s hard to make sense of how much room remains for your organisation to call up an unsuspecting prospect in a compliant way. While you can’t avoid raising suspicion as to where the data subject’s number originated from, there is a wide spectrum of practices ranging from downright non-compliance data collection to the fully-fulfilled duty to inform. Though it is limiting to approach the Regulation with a single use case it remains the best way to avoid opening the floodgates to exceptions. For the purposes of this post, I’ll cite the following example:

Can personal data be sold and bought under the GDPR?

Inheriting personal data sets from a third party with no proper documentation (e.g.: legal basis for initial collection, records of the duty to inform being fulfilled by the initial controller, recorded consent or readily available consent matrix) is a liability for both the personal data broker and the purchaser. At the very least, records of processing activities should establish a trace of the transaction since personal data sold to a third party is a data transfer to a recipient. Additionally, your organisation will need to prove that subjects were informed this transfer would take place or that you informed them within a month of purchasing their personal data that your organisation now processes it. More on this further on. 

Failing to document what information was communicated and what legal base apply violates both the data protection principles of lawfulness and transparency and that of purpose limitation, exposing you to the heaviest of fines: 4% of annual turnover. If your organisation had purchased personal data from a third party source, don’t hide that information. Should your staff turn down a data subject request to know what the origin of that data is, make sure the staff has been trained to recognize the request as a genuine data subject request. Article 14.2.f) makes it compulsory for organisations to inform data subjects if requested as to the source of the data that was not collected from them directly.

The worst scenario on your call-center floor is for an agent to downplay that request and respond that the subject’s phone number was communicated by their line manager. You may need to review your processes, knowledge base and staff training as to how to handle data subject requests. You would be surprised how many people use built-in or third party app call recorders on their phones

While you can sell and purchase personal data, you have to be very clear about it. Unlike the CCPA, the GDPR does not make it a requirement to disclose that the data will be sold, instead it makes it a requirement to disclose who will be receiving it.

In that respect, the CCPA more explicitly acknowledges the commercial uses of personal data. It makes it a requirement to disclose such uses, to provide subjects to opt their data out of the sale. To that respect, it allows for slightly more traceability in the data supply chain than the GDPR does. Keep in mind that small print at the end of a 10-page privacy policy will not impress authorities. Requirements of concision and clarity can be found in Article 12.1.

Can our organisation cold call data subjects?

Yes, it can.

Central to data protection is your duty to inform. Fulfilling it puts your organisation in line with GDPR’s principle of lawfulness, fairness and transparency (GDPR Art.5.1).

It is likely that the applicable legal basis for processing personal data in your case is legitimate interest. Yet having determined an applicable legal base is not compliant unless the purpose and the legal base are formally communicated to the data subject.

Can data subjects refuse to be the target of your direct marketing?

Yes, under Article 21.1 of the GDPR, an individual has the Right to Object. While, typically this right designed to put the burden of proof on the controller that its processing of personal data is done in the controller’s legitimate interest, the data subject also has the right to outright object to the use of data for direct marketing. This means that your company will have to mark the personal contact data to prevent it from being used for that purpose. This is one of the only technical and organisational measures explicited in the GDPR. Apply it if the data is nonetheless required to serve other purposes such as the performance of a contract. Should the data serve no other purpose, the best practice principles of data minimization and purpose limitation dictate the complete deletion of the personal data.

As hinted above, do not expect the data subject to officially formulate a deletion or objection request via your data protection officer. Treat their request on the phone as officially as you can. Which naturally increases expectation on staff compliance training.

Must I perform my duty to inform during the call?

Where the CCPA does not makes it compulsory for organisations to disclose having transferred or sold their data unless the subject requests to know, the GDPR makes it a requirement to inform proactively about the transfer of personal data to a third party or recipient.

While a strict reading of the GDPR might lead you to believe that you should read your complete privacy policy on the phone, in reality the situation is not that extreme but needs to be broken down at little.

If, prior to the call, you have collected the contact information from the data subject, you will have already informed them, and collected consent (if such is your legal basis), on the purpose of processing. On the call itself, you might be inclined to remind the data subject of the legal base on which you are currently operating but there is no GDPR provision making this a requirement other than building trust and plain courtesy.

If you have not collected data from the data subject but amassed their contact details from a different source, or third party, then, you should inform data subjects of your full identity and contact details, what data you have collected, under what legal base(s) you have done so, what retention period governs that data processing and what rights the data subjects can exercise. GDPR. Art.14.3a) sets the duty to inform time frame to within a reasonable period after obtaining the personal data and no more than one month.

Should you place a call to the data subject before having informed them of the above, you should understandably be prepared to read this information out to them and facilitate the exercise of their data subject rights (GDPR Art.12).

A full list of elements your communication should include is available in Articles 12 to 14.

What if the data subject actually consents to their data being used when on call?

Technically, you could record the call to document consent but consent for that form of data collection -audio recording- would first be needed. Recording a call is nothing short of collecting biometric and personal data and, in many cases, transferring that data to servers or cloud services across the Atlantic. If your cloud provider is not listed under the EU-US / Swiss-US Privacy Shield and no other legal instrument allows for that transfer, the call recording would fail the compliance test on many levels.

A best practice often witnessed involves sending an opt-in email immediately after the call which recaps the essence of your phone conversation, what you agreed to share, the data the subject consented to disclosing and which were the purposes stated. You might want to consider including the date at which the conversation took place in the body of the text, i.e.: not relying on the email client’s automated time stamp.

Yes, your organisation can sell or purchase persona data and place cold calls.

The GDPR only prohibits both forms of personal data processing unless they are done unlawfully.
Unlawful data processing in the case of direct unsolicited marketing by phone is characterized by depriving data subjects of their rights, violating data protection principles of fairness, transparency and accountability, failing to inform them upon acquisition or collection of their data, depriving them of information when you first come in contact with a subject’s personal data and not supporting them in the exercise of their rights. If you have these items under control, you’re good to proceed with a fair degree of confidence in your compliance.

If you need help with reviewing your data protection practices, your data flows, your compliance documentation and call center staff or management training, get in touch.

TechGDPR specialises in digitised environments and products including AI, machine-to-machine / IoT transactions and Blockchain applications. We offer consulting packages, hourly support, staff training and workshops.

The post Personal data and cold calling under the GDPR appeared first on TechGDPR.