1、White Paper on User Consent Practices under EU Regulatory RequirementsWhite Paper on User Consent Practices under EU Regulatory Requirements(EEA)1Contents040220102122IntroductionChapter 1:What are the GDPRs and ePDs user consent requirements for businesses?Chapter 2:How to build an effective and com

2、pliant consent banner for the EEA?Chapter 3:Q&AConclusionContactsWhite Paper on User Consent Practices under EU Regulatory Requirements(EEA)2The General Data Protection Regulation(GDPR),implemented by the European Union,has established a global trend towards stricter data protection laws,granting co

3、nsumers greater privacy rights.It is important for companies operating in the European Economic Area(EEA)to comply with privacy protection regulations to avoid significant penalties(administrative fines up to 20,000,000 EUR or up to 4%of the total worldwide annual turnover),which can severely impact

4、 their financial position,reputation,and consumer trust.Therefore,it is recommended that organisations enhance their data protection compliance capabilities to align with EEA regulations.By doing so,they can mitigate legal and economic risks,ensuring the continuity of their business.GDPR-compliant o

5、rganisations can also inspire trust from consumers,enhance their brand image,and foster greater customer loyalty.GDPR is widely recognised as a major milestone in privacy legislation and has had a profound impact on the regulations governing the digital advertising industry.The legislation imposes r

6、estrictions on businesses that collect and process personal data from EU IP addresses.Similarly,after Brexit,the United Kingdom General Data Protection Regulation(UK-GDPR)and Data Protection Act 2018 affect how businesses,as website or application owners,must obtain and store user consent.Therefore,

7、the same requirements apply in the UK as in the GDPR.IntroductionAdvertisers and publishers are required to obtain clear and explicit consent from users,which can be withdrawn at any time,regardless of whether the service provided by the business is via a website or an app.Hence,it is crucial for bu

8、sinesses to have a thorough understanding of their legal obligations.This white paper provides a comprehensive overview of the EU regulatory requirements for obtaining user consent and offers examples of good practices.Chapter 1 provides a general interpretation of GDPR and ePrivacyDirective(ePD)req

9、uirements regarding user consent.It includes examples and in-depth explanation of relevant case studies related to topics such as cookies or personalised advertising.Chapter 2 is a practical guide on how to build an effective consent banner in compliance with EU regulations.Chapter 3 lists frequentl

10、y asked questions shared by our customers and our responses to those questions.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)3White Paper on User Consent Practices under EU Regulatory Requirements(EEA)4Chapter 1:What are the GDPRs and ePDs user consent requirements for b

11、usinesses?While ePD emphasizes the consent requirement of cookies or similar technologies,the GDPR provides general principles regarding consent for personal data processing activities.And in its guidance on“consent”under the GDPR,the European Data Protection Board(EDPB)clarifies that the conditions

12、 for obtaining valid consent under the GDPR also apply to situations within the scope of the ePD.So,we focus more on the consent requirements of the GDPR.As required by GDPR,businesses must have a legal basis for processing personal data,with consent from the data subject1being the most commonly use

13、d legal basis.As defined by the GDPR,personal data means any information relating to an identified or identifiable natural person(“data subject”),such as a name,an identification number,location data,an online identifier or to one or more factors specific to the physical,physiological,genetic,mental

14、,economic,cultural,or social identity of that natural person.Overall,if consent is used as the legal basis for data processing in your company website or App,it is essential to comply with the following requirements regarding user consent.Obtaining valid user consent To be considered“valid”,the cons

15、ent given by the data subject must meet certain criteria.It should be freely given,specific,informed,and indicate unambiguously that the data subject wishes to agree,by a statement or by a clear affirmative action,to the processing of personal data.Four key elements should be noted:Freely given:The“

16、free”aspect of the requirements implies real choice and control on the data subjects part.Any inappropriate pressure or influence exercised upon the data subject(which may be manifested in many different ways)preventing them from exercising their free will shall render the consent invalid.-Consent c

17、annot be bundled up as a non-negotiable part of terms and conditions.11 A data subject is defined by GDPR as an“identified or identifiable natural person”from whom or about whom information is collected.Example:A website provider sets up a script that will block content from being visible unless the

18、 data subject agrees to a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed.There is no option to access the content without first clicking on the“Accept cookies”button.Since the data subject is not presented with a genuine c

19、hoice,their consent is not freely given.-Consent should not be provided in a bundle of processing purposes.Instead,data subjects should be free to choose which purposes they accept or decline.Example:Using the same consent request,a retailer asks its customers for consent to use their data to send t

20、hem marketing materials by email and sharing their details with other companies within their group.This consent request is not granular,as there are no separate choices for these two purposes,therefore the consent is not considered valid.-Refusing to give or withdrawing consent cannot be detrimental

21、 to data subjects(e.g.,in the form of additional cost and downgraded service quality).Example:A customer subscribes to a fashion retailers newsletter offering general discounts.The retailer asks the customer for consent to collect their data on shopping preferences for the purpose of tailoring the o

22、ffers based on their preferences,shopping history,or information collected from a voluntary questionnaire.When the customer later withdraws consent,he or she should still receive the same discounts without personalised marketing information.Specific:The“specific”aspect aims to ensure a degree of use

23、r control and data transparency.Consent from data subjects must be obtained for a specific processing purpose without function creep,and users should be informed of that specific purpose.If consent is sought for different purposes,separate options should be provided for each purpose to allow users t

24、o give specific consent for each one.Example:A game App collects users personal data,with their consent,to provide personalised suggestions for game content based on their operating habits.If the application later decides to enable third parties to send or display targeted advertising based on the s

25、ubscribers habits,new consent is required for this new purpose.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)5White Paper on User Consent Practices under EU Regulatory Requirements(EEA)6Informed:The“informed”aspect requires providing information to data subjects prior to

26、 obtaining their consent,thus enabling them to make informed decisions.The request for consent should be clearly distinguishable from other matters and presented in an intuitive and easily accessible form using clear and plain language.For example,information relevant for making informed decisions o

27、n whether or not to give consent should not be hidden in the general terms and conditions.The minimum information to be provided for obtaining a valid consent includes:i.the controllers identity;ii.the purpose of each of the processing operations for which consent is sought;iii.the type of data to b

28、e collected and used;iv.the existence of the right to withdraw consent;v.information about the use of the data for automated decision-making in accordance with GDPR Article 22(2)(c)2 where relevant;vi.on the possible risks of data transfers to a third country in the absence of an adequacy decision f

29、rom the European Commission and of appropriate safeguard measures as described in GDPR Article 463,where relevant.2 Required by GDPR Article 22(2):The data subject shall have the right not to be subject to a decision based solely on automated processing,including profiling,unless there is a legal ba

30、sis for one of the three following:(a)is necessary for entering into,or performance of,a contract between the data subject and a data controller;(b)is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subjects

31、rights and freedoms and legitimate interests;or(c)is based on the data subjects explicit consent.3 Required by GDPR Article 46:The controller or processor should provide appropriate safeguards before transferring personal data to a third country or an international organisation.White Paper on User C

32、onsent Practices under EU Regulatory Requirements(EEA)6Unambiguous indication of wishes:To be valid,consent requires an unambiguous indication by means of a statement or by a clear affirmative action.Consent can be collected through written or oral statements,including through electronic means.Silen

33、ce or inactivity on the part of the data subject,as well as merely proceeding with a service,cannot be considered as an active indication of choice.Therefore,it is important to ensure that user consent is collected in a way that allows for easy feedback.This can be achieved by providing buttons or u

34、nticked boxes.Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data.Businesses should design their consent mechanism in ways that are clear and unambiguous to data subjects,while ensuring that the action by which consen

35、t is given can be distinguished from other actions.Example:When users visit a website for the first time,they are informed that cookies are used to collect information about their interactions.This information is used to improve and customise their browsing experience.By clicking the“Accept”button,t

36、he user is able to validly perform a“clear affirmative action”to consent to the processing.Users also need to be provided with a“Decline”button and the information regarding their interactions should no longer be collected when they click“Decline”.“Explicit”consent should be obtained under certain c

37、ircumstancesIf consent is used as legal basis in the following situations,an“explicit”consent is required.Explicit content,which tends to be stringent than regular content,should be required in the following situations:processing of special categories of personal data as defined in Article 9 of GDPR

38、,including the personal data revealing racial or ethnic origin,political opinions,religious or philosophical beliefs,or membership status in a trade union,genetic data or biometric data for the purpose of uniquely identifying a person,data concerning health or data concerning a persons sex life or s

39、exual orientation;personal data processing for automated individual decision-making,including profiling4;personal data transfers to third countries or international organisations in the absence of adequate safeguards.4 Means any form of automated processing of personal data consisting of the use of

40、personal data to evaluate certain personal aspects relating to a natural person,in particular to analyse or predict aspects concerning that natural persons performance at work,economic situation,health,personal preferences,interests,reliability,behaviour,location or movements.2White Paper on User Co

41、nsent Practices under EU Regulatory Requirements(EEA)7White Paper on User Consent Practices under EU Regulatory Requirements(EEA)8We recommend consulting with a professional third party for a detailed analysis regarding the above scenarios.To obtain the explicit consent of a data subject,companies m

42、ay consider using one of the following methods:Written statement:The data subject expressly consents by providing a written statement,which may require a signature where appropriate.Digital or online context:In this scenario,consent of a data subject can be expressed through filling in an electronic

43、 form,sending an email,uploading a scanned document carrying the signature of the data subject,or using an electronic signature.Verification of consent in two stages:Consent can be verified in two stages to ensure its authenticity and validity.To avoid compliance issues,it is advisable to refrain fr

44、om using the aforementioned special categories of data and precise location data for advertising purposes.Additional requirement to obtain childrens consentAccording to GDPR,additional requirements apply when processing the personal data of vulnerable individuals,especially children.Such protection

45、should,in particular,apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.For websites or apps that target children,companies sh

46、ould pay attention to the additional requirements as far as consent-based data processing is concerned:When the child is below the age of 16 years(may be different based on individual countrys law within the EEA),such processing shall be lawful only if and to the extent that consent is given or auth

47、orised by the holder of parental responsibility over the child.Reasonable efforts should be made to verify in such cases where consent is given or authorised by the holder of parental responsibility over the child,taking into consideration available technology.To minimise any potential compliance is

48、sues,it might be advisable not to implement personalised advertising to children altogether.3Consent withdrawal requirementArticle 7(3)of GDPR prescribes that the data subject has the right to withdraw his or her consent at any time.Some specific requirements related to consent withdrawal are as fol

49、low:Data subjects should be able to withdraw their consent as easily as they provide it.For example,if consent is obtained through the use of a service-specific user interface via a website or an app,it must contain the option to withdraw via the same electronic interface.The withdrawal of consent s

50、hould be free of charge and not result in a lowering of service quality.The data subject must be informed of the right to withdraw consent as a part of the information required to be provided for obtaining a valid consent.If the data subject withdraws consent,the processing of data must be terminate

51、d immediately.If there are no other lawful basis,such data must be deleted.Consent record requirementIn Article 7(1),the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subjects consent.In other words,companies should maintain a record of consent obtained from d

52、ata subjects.For as long as a data processing activity in question lasts,the obligation to demonstrate consent remains applicable.After the processing activity ends,proof of consent should be kept no longer than strictly necessary for compliance with a legal obligation or for the establishment,exerc

53、ise,or defence of legal claims.54White Paper on User Consent Practices under EU Regulatory Requirements(EEA)9White Paper on User Consent Practices under EU Regulatory Requirements(EEA)10Chapter 2:How to build an effective and compliant consent banner for the EEA?Step1:Understand regulatory requireme

54、nts regarding user consent.You can refer to Chapter 1 for an overview of regulatory requirements in EEA and UK regarding user consent.Please note that these are general requirements and there can also be other legal differences(e.g.,the age at which a person is considered to be a child).Step2:Audit

55、your website to identify cookies and other trackers.Conduct a thorough scan of your website to learn about cookies,beacons,and other tracking technologies being used on your website.Verify that the use of cookies complies with your privacy policy or the privacy policy of the third-party website wher

56、e the cookies are placed.Auditing your website allows you to automatically detect and classify cookies and tracking technologies,enabling consumers to understand and make informed choices.Cookies generally have the following types:strictly necessary,functional,statistical,marketing,etc.Only strictly

57、 necessary cookies can use implied consent,granular options for accepting or rejecting other types of cookies should be available to the user.This is explained further in Step 3.Best practices for building a good website consent banner1White Paper on User Consent Practices under EU Regulatory Requir

58、ements(EEA)10Figure 1:Position of the 3 main categories bannerStep3:Design and set up your banner.When designing your consent banner,you may need to consider how you can enhance the user experience and potentially increase the user consent rate while still meeting regulatory requirements.However,add

59、itional requirements should be based on guidance issued by local data protection authorities.Relevant guidance can also be found on some consent management platforms.Here we offer some practices:Banner position:The placement of the banner is the key factor that affects the consent rate.It is commonl

60、y placed in the middle of the webpage,the footer of the website,and the top of the webpage.Placing the banner in the middle tends to attract more attention.Industry research had found that the position of the consent layer in the middle of the website had the highest consent rate.White Paper on User

61、 Consent Practices under EU Regulatory Requirements(EEA)11White Paper on User Consent Practices under EU Regulatory Requirements(EEA)12Content:Fully consider the compliance requirements regarding user consent as explained in Chapter 1.Inform users about cookie usage in plain and jargon-free language

62、.The following steps are advised:-Clearly identify your organisation.Display your company name or logo on the banner;if your website shares the data collected through cookies with third parties,such as advertising or analytics partners,the consent banner should inform users about such data sharing p

63、ractice;-Describe what(type of)data will be collected and used;-Explain the purposes for data processing.For example,use cookies to serve users relevant promotions(marketing)or to give users a better experience of the website(functional);-Communicate the right to withdraw consent at any time and the

64、 withdrawal method;-Link to website cookies and privacy policies;we also recommend that the consent banner link to a list of vendors with whom they share this data.Button:Display“Accept”and“Reject”or words with similar meanings buttons on the banner in a clear way.Only when the user actively clicks“

65、Accept”can it be regarded as valid consent.However,some studies show that the consent rate of this setup is relatively low because users will often say no if they dont understand the implications of such action.The“Accept+Settings”combination shows the highest acceptance rate.You can also increase u

66、ser consent with a pleasant or trusting tone of voice.For example,the use of“Please accept!”and website name values your privacy”can increase the acceptance rate of users to a certain degree.Figure 2:Good practice for buttons on consent bannerCookies on XX SitesWe use cookies for a number of reasons

67、,such as keeping XX Sites reliable and secure,personalising content and ads,providing social media features and to analyse how XX Sites are used.Accept&continueReject allManage cookiesColour:You can customise consent banners colours to match the businesss brand style.In terms of font colours,try rev

68、ersing the theme(dark background and bright text,rather than bright background and dark text),this could influence the agreement rate positively.For example,unlike the text on the“Decline”button,the“Accept”button can be darker in colour with border font and shows an icon in a convenient position.Fon

69、t:Generally,the title text,such as the name of the organisation and button text,should be large enough for viewing;the text describing the purpose of collecting information should be in a smaller font and should not be too long or too short in length;the links to the privacy policy and cookie policy

70、 should also be distinguished by different fonts(e.g.,italic,bold,etc.)and colours.Language:Display banners in local languages depending on the country or jurisdiction where the site is hosted,allowing users to understand the content effectively.Figure 3:Practice reference for different language dis

71、playCookies on XX SitesWe use cookies for a number of reasons,such as keeping XX Sites reliable and secure,personalising content and ads,providing social media features and to analyse how XX Sites are used.Accept&continueReject allManage cookiesCookies sur les sites XXNous utilisons des cookies pour

72、 un certain nombre de raisons,notamment pour assurer la fiabilit et la scurit des sites XX,personnaliser le contenu et les publicits,fournir des fonctions de mdias sociaux et analyser la manire dont les sites XX sont utiliss.Accepter et continuerRejeter tous lesGrer les cookiesWhite Paper on User Co

73、nsent Practices under EU Regulatory Requirements(EEA)13White Paper on User Consent Practices under EU Regulatory Requirements(EEA)14Consent management mechanism:-After the consent banner,users can access the consent management interface via a“Manage my cookies”button or link.Users should be given th

74、e option to choose which cookies they want to accept before their personal information is collected.As mentioned in Step 2,classifying the cookies,and informing the user about the role of each category of cookies.Except for strictly necessary cookies,all other types of cookies require users to activ

75、ely tick the box.-You should have a clear and simple opt-out mechanism.Users must be able to withdraw their consent any time.You may provide users the link to cookie management in the footer of the web page.After the cookie pop-up window appears,users should be able to enter the webpage in a simple

76、way to access cookie settings,such as changing consent preferences.Figure 4:Practice reference for consent management mechanismXXManage CookiesYou can manage which cookies are set on your device,but if you disable cookies,some part of the XX site may not work properly.Some cookies are essential for

77、the operation of our sites.By clicking the Save button below you are accepting cookies in accordance with our Cookie Policy.What cookies does this toggle cover?Please sign into your account before submitting your preferences to ensure these changes are applied across all of your deviceAllowSee perso

78、nal advertising and allow measurement of advertising effectivenessBlockBlock personalised advertising and measurement of advertising effectivenessSaveIf you turn this off,you will still see the same number of adverts but they may be less relevant.Third party technology that helps us deliver other fu

79、nctionalityWe used third party cookies to optimize marketing performance and to measure the effectiveness of our advertising on other websites.Due to technical limitations please follow the links below for each providers policies and instructions to opt out.You will need to make these changes on eve

80、ry browser you use.XXXXXX(third party)XXXXXX is a digital measurement platform that enables us to monitor advert viewability and analyse invalid traffic.Other ways to opt outAlternatively,you can manage cookies via your browser settings or by using the below two links:this will impact your cookie se

81、ttings across the Internet,not just on XXXXX:Your Ad ChoicesYour Online ChoicesSome advertisers and third parties will personalize adverts based on data you have provided to them,to the extent that you have consented to this.To fully understand how these third parties process personal information,pl

82、ease review their policies.You can manage your cookie settings with these partners by visiting the links below.For more details of the cookies used for advertising please visit:XXXXXX websiteCookies on XX SitesWe use cookies for a number of reasons,such as keeping XX Sites reliable and secure,person

83、alising content and ads,providing social media features and to analyse how XX Sites are used.Accept&continueReject allManage cookiesFigure 5:Consent rate of major industries587%78%83%83%89%81%82%85%90%84%77%83%87%NewsGamingInsuranceTourismWork&EducationFinance&EconomicsInformation TechnologyMedicalF

84、amilyE-CommerceAutomotiveEntertainmentSportsStep 4:Double check.You should ensure trackers are automatically blocked until user consent is obtained.Ensure that banners are set,and that cookies are executed in a manner consistent with your public privacy policy.Show the right consent banner to the ri

85、ght person at the right time.Step 5:Measure success.Once you have a basic banner set up on your website,it is also important to monitor the approval rate using an interactive dashboard.If opt-ins are low,its time to do some testing.Through A/B testing,experimentation,and easy testing of template des

86、ign,layout,copy,CTA,text,colour,and so on,you can determine which changes produce the highest conversion rate.According to the practice of some consent management platforms,the consent rate varies considerably across industries,as shown below.5 Source:Statistical analysis of more than 1 billion cons

87、ent layers across 15,000 websites using the consent manager platform from Consent Manager.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)15White Paper on User Consent Practices under EU Regulatory Requirements(EEA)16Best practices for building a good APP consent bannerSin

88、ce APP consent is a much more complex topic,we just give some general advice for reference here.Further guidelines should refer to the requirements for developers provided by the APP distribution platform,such as Google Plays guidance or Apple App Stores guidance.And it is very important to start th

89、inking about privacy by design before development itself.2ContinueI have read and agree to XXs Privacy Policy.ClosedWith your agreement,we and our partners use cookies or similar technologies to store,access,and process personal data like your visit on this website.You can withdraw your consent or o

90、bject to data processing based on legitimate interest at any time by clicking our Privacy PolicyFigure 6:Practice reference for App Step 1:Understand regulatory requirements regarding user consent.For APP providers,the regulatory requirements you need to comply with to publish your app in the EEA an

91、d UK are the same as those mentioned in Chapter 1.Additionally,you need to comply with the privacy policy of the application platform where your APP will be published.Step 2:Audit services and APIs for compliance in your APP.Perform a thorough scan of the app and consider GDPR obligations when integ

92、rating your app with third-party services or APIs.These details need to be documented in your privacy policy.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)16Step 3:Design and set up a consent banner or consent box on APP.If you choose consent as the legal basis of proces

93、sing the data on the APP,user consent should be obtained before any processing at the first time.We strongly recommend displaying a consent screen(the form of banner,box,etc)on app launch as this is the only way to be fully GDPR compliant.When providing an app on iOS devices,it is necessary to follo

94、w the additional requirements regarding App Tracking Transparency6.Obtaining user consent for Application Tracking Transparency(ATT)is a distinct process from obtaining user consent to comply with GDPR regulations.Same as with the consent banner on the website,you need to make similar settings for c

95、ontent,button,colour,font,and language.(Not to be repeated here.)Position:It is recommended that the APP pop-up window be placed in the middle or lower part of the screen,so that it is easier to attract the users attention as well as convenient for the user to click.Consent management mechanism:-You

96、 can select a sidebar or menu item to link to the interface for managing privacy and data collection.Show users your privacy policy,information about the types of data being collected,and allow them to change their consent choices.Additionally,you should provide users with the option to or not to en

97、able personalised advertising on the setting page.-Similarly,with a GDPR-compliant mobile App there should also be a dedicated page where the user can opt out of communication with the App or ask for their data to be deleted.The entry to this page should be simple and clear.-In addition,it is necess

98、ary to implement other GDPR-required compliance measures,such as providing mechanisms for data subjects to exercise their rights.We recommend consulting with a professional third party for a detailed analysis regarding the further scenarios.White Paper on User Consent Practices under EU Regulatory R

99、equirements(EEA)176You need to receive the users permission through the App Tracking Transparency(ATT)framework in order to track them or access their devices advertising identifier.More information please refer to the Apple.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)

100、18Step 4:Double check.User information cannot be captured until consent has been obtained from the user.Make sure that the apps data collection is performed in a way that is consistent with your privacy policy.Step 5:Measure success.Finally,you also need to monitor the consent rate on the app and te

101、st it with the suitable methods to find the changes that will have a positive effect.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)18Checklist for a compliant consent bannerThe following checklist might help you avoid common mistakes when implementing consent banners:3Ha

102、ve you checked that your consent notification is displayed when users from all EEA countries visit your website or app?Have you automatically blocked trackers before obtaining user consent?Have you clarified to users what personal data is being collected and why when users consent to the collection

103、of their personal data on your website or app?(e.g.are they aware that their personal data will be used for personalised advertising?)Have you informed users who will use the data(including third parties)and for how long?Have you provided separate consent options for each purpose,rather than bundlin

104、g consent to cover multiple purposes or activities?Does the user have the option of taking a clear and positive action to indicate consent,i.e.by clicking on the“OK”button or the“I agree”button?Have you provided an easy access for users to modify their consent preferences or withdraw consent in the

105、future?Have you recorded and stored this consent data to be used to verify user consent in case of an audit by a data protection authority(DPA)after obtaining it?White Paper on User Consent Practices under EU Regulatory Requirements(EEA)19White Paper on User Consent Practices under EU Regulatory Req

106、uirements(EEA)20Chapter 3:Q&ACan I present an“accept”button alone?According to GDPR,you need to provide an opt-out option for users.You should present both“accept”and“reject”button,or present only“accept”button but also allow users to enter a“manage cookies”page to set their cookie preferences.What

107、if I dont allow the user to play the game if no consent is given?For a consent to be valid,it must be“freely given”by a user,which means consent to process personal data that are not necessary for the performance of a contract or service cannot be tied to the provision of that contract or service.Th

108、erefore,it is not suggested to bind the basic service purpose(play the game)with advertising purpose for a user to consent together.Do I need to include all third parties?Yes,under GDPR you should include all third party vendors that you will be sharing user information with and link clearly to thei

109、r data policies.If a user rejects,how soon can I pop up the consent banner again?Legally,when a user doesnt give consent,no information of such user should be recorded.That means you wouldnt know that the user didnt give consent and came back again.You should treat a non-consent user as a new visito

110、r.Can I include the consent notice in my terms and conditions statement?No.Combining consent notice with terms and conditions can often lead to a long,complicated document that is difficult to read.It is recommended that consent notices be provided separately so that users have a clearer understandi

111、ng of how their data will be used and give explicit consent.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)20ConclusionIn the current era of rapid digitalisation,businesses are encountering compliance challenges due to stricter regulations imposed by data protection autho

112、rities.This whitepaper serves as an introduction to EEA regulations on user consent,provides examples of good practices,and offers guidance on reducing compliance risks.Businesses can refer to this whitepaper to gain insight into EEA regulations on user consent,learn from good practices,and take nec

113、essary steps to mitigate compliance risks.White Paper on User Consent Practices under EU Regulatory Requirements(EEA)21ContactsJane Wang New Law Reporting and Strategy Service Advisory Leader,PwC China Elle Zhou New Law Reporting and Strategy Service Advisory Partner,PwC CTianbin Ye Digital and Tech

114、nology Consulting Services Partner,PwC C White Paper on User Consent Practices under EU Regulatory Requirements(EEA)22This content is for general information purposes only,and should not be used as a substitute for consultation with professionaladvisors.2024 PricewaterhouseCoopers All rights reserved.PwC refers to the China member firm,and may sometimes refer to the PwC network.Each member firm is a separate legal entity.Please see for further details.