A consent popup that makes it harder to decline than to accept is not compliant, nor one that merely cares about cookies/local storage while still loading third-party scripts and leaking your IP address & browser fingerprint.
A compliant consent flow would require explicit consent before loading any non-essential third-party scripts, but I'm not aware of any mainstream solution that does this, primarily because an actually compliant solution would put certain employees and maybe even entire companies out of business, thus pseudo-compliance is preferred over actual compliance.
Furthermore, even if you do actually handle tracking consent properly, it is only part of your GDPR compliance approach. It does't matter if your website tracking is compliant if your backend then uses the data without appropriate legal basis.
GDPR compliance is trivial if you build it from the start. Those who can comply can easily do so themselves.
The problem is that a lot of businesses (or careers) just won't be possible without breaching the GDPR, and that's not something a "compliance-as-a-service" company would fix. A honest company would tell you to close your business or severely downsize your marketing team, a dishonest one would just take your money and give you a false sense of security.
We are building one such service and I agree (to name a few services doing GDPRaaS : soveren.io, ethyca.com, securiti.ai, datagrail.com, alias.dev) .this is so much needed as there is almost no legally valid answer on the whole comment section!
I started to write an article on all the points above… should get back in 2 hours and post it here
In bullet points :
- GDPR is a risk management policy about personal data protection more than a privacy regulation
- for any personal data (PII) all companies must declare the following :
- purpose of the collection and the treatment of the specific data
— legal base of the treatment (6 available, they are the field card in Magic the gathering, they define a context of what is possible to do)
- data category (what type of data you are collecting i.e if you declare collecting delivery shipping information for a purpose, you limit yourself to data that correspond to that category )
- data retention duration (how long you declare storing the data in production and then in archive)
- list of recipients (all the 3rd party companies who will access the data)
- security measures (what is the level of security for keeping that data safe from breaches)
- some infos about the company, the data controller (who is responsible) etc…
So all companies must do a internal data mapping to know and declare where is the data and where it flows in production and write for every PII a ROPA (record of processing activity)
You can find an open source specification UROPA here)
