Facebook cannot provide legal guidance on compliance with regulations and policies. We recommend that you conduct your own assessment about consent requirements and talk to your Legal representative about what's best for your organization.
Regulatory expectations on requirements for collecting and sharing personal data have continued to evolve and guidance from Data Protection Authorities have further clarified expectations around how cookies and online collection of personal data is obtained. This can be seen through European laws, such as General Data Protection Regulation (GDPR) and Europe’s ePrivacy Directive.
The EU legislation is often supported by national regulatory guidance issued by Data Protection Authorities. These guidelines provide useful information as to how you can ensure you comply with the law. Some of the common expectations are highlighted in the next sections to follow, with a few examples of recent guidance that have been published at a national level.
This list is not exhaustive. We recommend that you contact your local Data Protection Authority and/or Legal adviser for further details of any specific guidelines that may apply to you.
The standard for securing valid consent under the EU legislation is high.
For consent to be valid, it must be:
You should consider carefully how you secure consent from a user to ensure that you meet the necessary requirements under EU law and to avoid the risk of consent being deemed invalid.
Consent should be requested prior to setting/using cookies that are not strictly necessary.
Websites and apps should display a clear, concise, and comprehensive statement upfront, with a link to their privacy or cookie notices for more detail. The link should be easily readable text and undisrupted by other features on the page.
In your notice, you’ll need to decide how to include more information, such as:
It is generally expected that it must be as easy to withdraw consent as to give in the first place.
There are a number of vendors and industry tools that can help with consent functionality. For example, consider working with a Consent Management Platform (CMP) provider, such as OneTrust or TrustArc.
This list of CMPs have registered with the IAB Transparency and Consent Framework.
This list is not exhaustive of all CMPs available, nor does adopting any of these CMP’s guarantee compliance.
Once you select a solution that's right for you, we recommend seeking help from an experienced developer and Legal counsel. It's important to make sure the controls you provide work correctly.
Examples of guidance on cookies and similar technology:
We have also published resources to help businesses educate people about the data they collect: