The Universal Consent Platform allows you to configure consent notices to comply with various privacy regulations. The most prevalent regulations and consent types are outlined below.
Disclaimer: Information in this section is general guidance and should not be considered legal advice.
The General Data Protection Regulation (GDPR) applies to any organization offering services to, or monitoring the behavior of, EU citizens regardless of geographic location.
Organizations must obtain valid consent prior to using or processing personal data that is non-essential to the functioning of the website. To be considered “valid” consent under the GDPR, consent must be a: clear affirmative act, freely given, specific, informed, and unambiguous. Consent models like “implied consent” or “inferred from someone’s actions” are not considered compliant with the GDPR.
GDPR also grants a number of personal data rights to EU citizens. Organizations must allow visitors to submit data subject access requests and will need a process for fulfilling them.
The California Consumer Privacy Act (CCPA) applies to organizations that collect personal data on California residents, regardless of the organization’s geographic location.
Unlike the GDPR, the CCPA does not require consent prior to using or processing personal data. It does require organizations to disclose the personal data being collected and provide the ability to opt-out of the sale of their personal information. This includes a prominent and conspicuous link titled “Do Not Sell My Personal Data.”
Under global privacy regulations, data collection practices must be outlined and/or consented to before they can lawfully occur. This is done through consent notices – often in the form of banners or barriers on websites. These notices tell website visitors which technologies are on the websites they visit, the type of data they collect and help ensure data is lawfully gathered.
Different regulations require different forms of consent. Additionally, you may want to notify your visitors or capture consent, even if they do not fall under any specific regulations.
Prior Consent (Opt-In)
Prior consent, also known as “opt-in” consent, means advertising and marketing cookies are not dropped and tags do not fire unless the website visitor has explicitly given permission for it to happen. The website (or other medium) does not collect any information outside of what it needs to function until the visitor has given their explicit permission. This usually happens through clicking an “Accept” button.
Implied consent means that consent is implicitly granted based on a website visitor’s actions. For example, by clicking anywhere on the page, scrolling, or continuing to use the site. This is not equivalent to explicit consent.
No Consent Required
For situations where no consent is required, a company may wish to inform the visitor that data is being collected. In these cases, the visitor has no control over the collection of data.