100 Questions About GDPR, Consent Statuses, and Website Implementation

GDPR Fundamentals (Questions 1-20) What does GDPR stand for? GDPR stands for General Data Protection Regulation, a comprehensive data privacy law enacted by the European Union. When did GDPR come into effect? GDPR came into force on May 25, 2018, replacing the 1995 Data Protection Directive. Who does GDPR apply to? GDPR applies to any […]

GDPR Fundamentals (Questions 1-20)

1. What does GDPR stand for?
   GDPR stands for General Data Protection Regulation, a comprehensive data privacy law enacted by the European Union.
2. When did GDPR come into effect?
   GDPR came into force on May 25, 2018, replacing the 1995 Data Protection Directive.
3. Who does GDPR apply to?
   GDPR applies to any organisation processing personal data of EU residents, regardless of where the organisation is located.
4. What is considered personal data under GDPR?
   Personal data is any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, location data, and online identifiers.
5. What are the seven key principles of GDPR?
   The principles are lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability.
6. What is the maximum fine for GDPR violations?
   The maximum fine is €20 million or 4% of annual global turnover, whichever is higher.
7. What is a data controller?
   A data controller determines the purposes and means of processing personal data.
8. What is a data processor?
   A data processor processes personal data on behalf of the controller.
9. What are the lawful bases for processing personal data?
   The six lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests.
10. What is the right to be forgotten?
    The right to erasure allows individuals to request deletion of their personal data under certain circumstances.
11. What is data portability?
    The right to data portability allows individuals to receive their personal data in a structured, commonly used format and transfer it to another controller.
12. What is a Data Protection Impact Assessment (DPIA)?
    A DPIA is a process to identify and minimise data protection risks of a project or processing activity.
13. When is a DPIA required?
    A DPIA is required when processing is likely to result in a high risk to individuals’ rights and freedoms.
14. What is a Data Protection Officer (DPO)?
    A DPO is an expert who monitors GDPR compliance within an organisation.
15. When must an organisation appoint a DPO?
    A DPO is required for public authorities, organisations conducting large-scale monitoring, or large-scale processing of special category data.
16. What are special categories of personal data?
    Special categories include data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.
17. What is the accountability principle?
    Organisations must demonstrate compliance with GDPR principles through documentation and appropriate measures.
18. What is privacy by design?
    Privacy by design means implementing data protection measures from the start of system design.
19. What is privacy by default?
    Privacy by default means that the strictest privacy settings apply automatically without user action.
20. What are data subject rights under GDPR?
    Rights include access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making.

Consent Fundamentals (Questions 21-40)

21. What constitutes valid consent under GDPR?
    Valid consent must be freely given, specific, informed, and unambiguous through a clear affirmative action.
22. Can silence or inactivity constitute consent?
    No, silence, pre-ticked boxes, or inactivity do not constitute valid consent.
23. What is granular consent?
    Granular consent means requesting separate consent for different processing purposes rather than bundled consent.
24. Can consent be withdrawn?
    Yes, individuals must be able to withdraw consent as easily as they gave it.
25. What is the difference between explicit and implied consent?
    Explicit consent requires a clear statement, while GDPR generally doesn’t recognise implied consent as valid.
26. Is a privacy policy sufficient for obtaining consent?
    No, a privacy policy informs users but doesn’t constitute consent; separate affirmative action is required.
27. What information must be provided when obtaining consent?
    Organisations must provide identity, processing purposes, data types, withdrawal rights, and, if applicable, information about automated decision-making.
28. Can consent be a condition of service?
    Generally, no, unless processing is necessary for the service; consent must be freely given.
29. How should consent be documented?
    Organisations must maintain records of who consented, when, how, what they were told, and whether consent was withdrawn.
30. What is consent fatigue?
    Consent fatigue occurs when users are overwhelmed by repeated consent requests and may accept without reading.
31. Are cookie walls GDPR compliant?
    Cookie walls that block access unless users accept non-essential cookies are generally not compliant, as consent wouldn’t be freely given.
32. What is the age of consent for children’s data?
    Children under 16 (or lower age set by member states, minimum 13) need parental consent for online services.
33. How should parental consent be verified?
    Reasonable efforts must be made to verify parental authority, considering available technology and costs.
34. Can consent be inferred from user behaviour?
    No, consent requires a clear affirmative action and cannot be inferred from continued use or browsing.
35. What is the difference between consent and legitimate interest?
    Consent requires user permission; legitimate interest allows processing without consent if balanced against user rights.
36. Can consent be bundled?
    No, consent for different purposes must be separate and specific.
37. What is fresh consent?
    Fresh consent means re-obtaining consent when significant changes occur to processing activities.
38. How long is consent valid?
    There’s no fixed period, but consent should be refreshed if circumstances change or after a reasonable time.
39. What is a consent receipt?
    A consent receipt is documentation provided to users confirming what they consented to.
40. Can consent be transferred to third parties?
    No, consent is specific to the original controller and cannot be transferred without new consent.

Consent Statuses and Management (Questions 41-60)

41. What are the typical consent statuses?
    Common statuses include given, withdrawn, expired, pending, partial, and not requested.
42. How should consent withdrawal be handled?
    Withdrawal must be processed immediately, with data processing stopped and data deleted unless another lawful basis applies.
43. What is consent versioning?
    Consent versioning tracks which version of consent terms users agreed to, important when policies change.
44. How should partial consent be managed?
    Systems should allow users to consent to some purposes while rejecting others, with functionality adjusting accordingly.
45. What is consent refresh?
    Consent refresh is the process of re-obtaining consent periodically or when terms change significantly.
46. How should expired consent be handled?
    Expired consent should trigger either deletion of data, re-consent requests, or transition to another lawful basis if applicable.
47. What is a consent management platform (CMP)?
    A CMP is software that manages the collection, storage, and documentation of user consent preferences.
48. What should a consent audit trail include?
    An audit trail should include a timestamp, a user identifier, consent version, purposes consented to, method of collection, and withdrawal history.
49. How should conflicting consent statuses be resolved?
    The most recent, clearly expressed user preference should take precedence.
50. What is consent synchronisation?
    Consent synchronisation ensures consent preferences are consistent across all systems and platforms.
51. How should consent be managed across multiple domains?
    Each domain should obtain separate consent unless using a centralised consent framework with clear user understanding.
52. What is the difference between opt-in and opt-out?
    Opt-in requires affirmative action to consent (GDPR compliant); opt-out assumes consent unless the user objects (generally not compliant).
53. How should consent preferences be stored?
    Consent preferences should be stored securely, encrypted where appropriate, and kept as long as necessary to demonstrate compliance.
54. What is consent drift?
    Consent drift occurs when actual data processing gradually diverges from what users originally consented to.
55. How should consent be managed for existing users?
    Existing users whose data was collected before GDPR must be re-consented to if the original legal basis was inadequate.
56. What is implicit withdrawal?
    Implicit withdrawal might occur through account deletion or prolonged inactivity, but explicit mechanisms are a better practice.
57. How should consent failures be handled?
    Technical failures in consent mechanisms should default to non-consent until proper consent can be obtained.
58. What is consent scope?
    Consent scope defines exactly what data, purposes, and processing activities the consent covers.
59. How should consent be managed for anonymous users?
    Anonymous users should still receive consent mechanisms, with preferences stored via cookies or local storage until account creation.
60. What is consent reconciliation?
    Consent reconciliation is the process of matching and updating consent records when users access services through multiple channels.

Website Implementation Basics (Questions 61-80)

61. Where should the cookie banner be positioned?
    Cookie banners should be prominent and not interfere with content access before consent is given.
62. What must a cookie banner include?
    It must include clear information about cookies used, purposes, an option to accept/reject, and a link to the detailed cookie policy.
63. Should the accept button be more prominent than the reject?
    No, accept and reject options should be equally prominent to ensure consent is freely given.
64. What is a cookie policy?
    A cookie policy explains what cookies are used, their purposes, duration, and how users can manage them.
65. How should first-party cookies be handled?
    Even first-party cookies used for non-essential purposes require consent.
66. What are strictly necessary cookies?
    Strictly necessary cookies are essential for website functionality and don’t require consent (e.g., shopping cart, authentication).
67. How should analytics cookies be categorised?
    Analytics cookies are typically not strictly necessary and require consent unless properly anonymised.
68. What is cookie granularity?
    Cookie granularity refers to the level of detail in consent options, from all-or-nothing to individual cookie control.
69. Should users be able to change preferences later?
    Yes, users must have easy access to modify their consent preferences at any time.
70. How should consent preferences be accessible?
    Provide persistent links in the footer, privacy settings page, or floating button for preference management.
71. What is a consent wall?
    A consent wall blocks access to content unless users accept cookies/tracking, generally not GDPR compliant.
72. How should third-party scripts be managed?
    Third-party scripts should only load after consent is obtained for their specific purpose.
73. What is script blocking?
    Script blocking prevents non-essential scripts from executing until user consent is obtained.
74. How should Google Analytics be implemented under GDPR?
    Google Analytics requires consent, IP anonymisation, a data processing agreement, and appropriate data retention settings.
75. What is server-side consent management?
    Server-side management processes consent decisions on the server rather than relying solely on client-side controls.
76. How should consent work with Content Delivery Networks (CDNs)?
    CDNs should only serve non-essential resources after consent, or consent status should be communicated to the CDN.
77. What is consent mode for Google tools?
    Consent mode allows Google tags to adjust behaviour based on consent status, using cookieless pings when consent is denied.
78. How should social media embeds be handled?
    Social media embeds should use privacy-enhanced modes or two-click solutions requiring consent before loading.
79. What is a two-click solution?
    A two-click solution shows a placeholder for embedded content; users click once to consent, then again to activate the content.
80. How should forms handle consent?
    Forms should include clear, unchecked consent boxes with specific information about how data will be used.

Technical Implementation (Questions 81-100)

81. What cookie attributes should be set for consent cookies?
    Consent cookies should use Secure, SameSite, and appropriate expiration attributes.
82. How long should consent preferences be stored?
    Consent preferences are typically stored for 12 months, after which users should be re-prompted.
83. Should consent data be encrypted?
    Sensitive consent data should be encrypted in transit (HTTPS) and at rest when appropriate.
84. How should consent work with tag managers?
    Tag managers should include consent conditions that prevent tags from firing without appropriate consent.
85. What is the IAB Transparency and Consent Framework?
    The IAB TCF is a standardised framework for communicating user consent to advertising vendors.
86. How should API calls respect consent?
    APIs should check consent status before processing personal data or triggering third-party services.
87. What is client-side consent storage?
    Client-side storage uses cookies or localStorage to maintain consent preferences in the user’s browser.
88. How should consent work across subdomains?
    Consent can be shared across subdomains using appropriate cookie domain settings, with clear user communication.
89. What is a consent bridge?
    A consent bridge synchronises consent status between different systems or platforms.
90. How should mobile apps handle consent?
    Mobile apps should implement consent UI similar to websites, storing preferences locally or server-side.
91. What accessibility considerations apply to consent interfaces?
    Consent interfaces must be keyboard navigable, screen-reader compatible, and meet WCAG standards.
92. How should consent work with Progressive Web Apps?
    PWAs should manage consent similarly to websites, with preferences synced when online.
93. What is consent forwarding?
    Consent forwarding communicates user consent status to third-party services and vendors.
94. How should consent integrate with identity management?
    Consent preferences should be linked to user accounts and persist across sessions and devices.
95. What testing should be performed on consent systems?
    Test all consent paths, withdrawal processes, preference persistence, script blocking, and cross-browser compatibility.
96. How should consent work with A/B testing?
    A/B testing tools typically require consent as they process user data; test variations of consent UI should be GDPR compliant.
97. What is geographic consent targeting?
    Geographic targeting applies different consent requirements based on user location (e.g., stricter for EU users).
98. How should consent be implemented in a headless CMS?
    Headless CMS implementations need server-side or API-based consent management before serving personalised content.
99. What monitoring should be in place for consent systems?
    Monitor consent rates, withdrawal rates, system errors, compliance with preference settings, and audit trail completeness.
100. How should consent systems handle bot traffic?
     Bot detection should prevent false consent records while ensuring legitimate users can always provide consent.