Signatu’s Cookie Consent Solution - part 1

Signatu now launches its Cookie Consent solution.

How does it work?

It scans your website to detect resources set by the website and resources loaded by third parties.

Then, by a one click, it auto generates a responsive Cookie Consent Banner with two alternative designs:

• one design for the Norwegian Ekom law, and
• one design for the ePD/GDPR.

The information in and design of Signatu’s Cookie Consent Banners is guided by:

• EU legislation, case law,
• guides from the Supervisory Authorities, and
• conversations Signatu has had with its designer (Matthias Ott) and customers during Signatu’s comprehensive Cookie Banner Design Pilot.

The Cookie Consent Banner texts can be:

• edited,
• written/presented in different languages,
• styled,
• presented in light mode or dark mode,
• etc.

Which information goes into the Cookie Consent Banner?

Our paper "How to specify the content of a cookie consent request" published Journal of Data Protection & Privacy, Volume 3 (2019), clarifies what should be the information that must form part of a website’s consent request to set cookies or load remote resources in end users’ browsers.

For ePD/GDPR Cookie Consent Banners, the ECJ says (in the Planet 49 case) that the information which the cookie consent request must provide to end users is borne out of Article 10 of Directive 95/46, to which Article 5(3) of Directive 2002/58 and Article 13 of Regulation 2016/679 refer.

In essence, the Cookie Consent Banner needs to provide end users with answers to the following questions:

• which technology/method is used to process end users’ personal data?
• which personal data of end users’ are processed?
• how are end users’ personal data processed?
• why are end users’ personal data processed?
• what are the effects of the processing for end users in case of automatic decision-making including profiling?
• who sets the cookie or loads the script in end users’ browsers?
• who receives end users’ personal data?
• are end users’ personal data transferred outside the EU?
• what is the legal basis that permits the processing purpose?
• what is  the legal basis that permits the transfer of end users’ personal data outside the EU?
• what are the measures used to secure and restrict the data processing operation?
  

What is the appropriate design for a Cookie Consent Banner?

For ePD/GDPR Cookie Consent Banners, the ECJ says (in the Planet 49 case) that the Cookie Consent Banners must provide end users with "clear and comprehensive information" to enable end users:

to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.

This statement alone does not answer how information in a Cookie Consent Banner can be made clearly comprehensible.

Thus, we asked and answered more questions:

1. Whether and to what extent can a person B understand a) the consent request a person A intended for in a verbal conversation, and b) the consent request a website intended for in a Cookie Consent Banner
2. What possibilities of information exchange are there in a verbal conversation that lack in a cookie consent request in a Cookie Consent Banner?
3. Which contribution is required on the part of the website and on the part of the end user with regard to the end user understanding the consent request the website intended for?

In a verbal conversation, people can take turns in asking and answering questions and exchange information, whereas in a cookie consent request in a Cookie Consent Banner there is only one transaction of information from a website to an end user.

In any exchange of information regarding cookies from a website to an end user, the website’s aim should be to establish common ground, mutual knowledge, mutual beliefs and mutual assumptions (‘grounding’) between the website and the end user with regard to cookies.

This requires a certain contribution from the website and the end user, and a process to coordinate information exchange between the website and the end user.

From the website, one must require that the website’s text should

• be short and easy to digest.
• present the components of the data processing operation in a certain order.
• be true and consistent.
• be complete.
• describe the domain correctly.
• be unambiguous.

From the end user, one cannot require that the end user contacts the website owner/operator to ask clarifying questions or express lack of understanding. What can be the substitute? The answer is that the design of the Cookie Consent Banner should enable the end user:

• to view meta-information about the content of the consent request to give clues as to what is presented where.
• to interact with the Cookie Consent Banner in different layers.
• to query the text of the consent request.

For the design of Signatu’s Cookie Consent Banners, Signatu has looked at guides from several EU Supervisory Authorities. We find CNIL’s draft recommendation on "cookies and other trackers" to be the guide that gives best design guidance.

In our next blog post - on Signatu’s Cookie Consent Solution, part 2 - we will present and explain the design of Signatu’s Cookie Consent Banner.

If you have any questions, you can send me an email at:

hello@signatu.com