Consent: The Cornerstone of Compliance
The EU’s General Data Protection Regulation (GDPR) sets forth a new standard for how organizations can interact with their customer’s data. In the past, companies have been relatively cavalier with their use of personal data. Now, there’s a strict set of guidelines about how and when you can use data for remarketing, emailing, profiling, and other forms of processing.
The biggest changes are around “legitimate interest,” legal use of data, and consent. Under GDPR, in order to send your users emails, track them with cookies, use them for profiling, or do anything else with their personal data, you’ll need to gain informed consent first.
This post relies on a basic understanding of GDPR concepts, so if you’re totally unfamiliar, we suggest you read our introduction to GDPR compliance before going any further.
How GDPR Defines Consent
Consent under GDPR means that a user has given you explicit permission to process their data and that they’ve been informed of the necessary conditions upon giving consent. Article 7, as well as recitals 32, 42, and 43 of GDPR describe the necessary conditions for gaining consent.
- Article 7, “Foundations of Consent,” refers to the demonstration, granularity, and withdrawal of a data subject’s given consent.
- Recital 32, "Informed Consent," goes into greater detail about the necessary information to be provided for informed consent.
- Recital 42, "Requirements for Consent," further describes the required materials for proper consent and acts as a summary of the conditions.
- Recital 43, "Freely Given Consent," describes the aspects of consent when there is an "imbalance of power" between subject and processor.
Article 7 “Foundations of Consent”
1. Demonstrations of Consent
If the processing you plan to perform is justified by consent only, and not by any other legally applicable means, you must be able to prove that consent was given. The burden of proof is on your organization to verify when and how a user gave consent for the specific purposes that you’re using their data.
2. Granularity of Consent
Your opt-in checkboxes on consent forms should be one-to-one, meaning that one opt-in action equals one processing purpose. For example, you might have two separate checkboxes – one for newsletter signups, and one that allows you to process data for online ads profiling. Note that the processing purpose does not always equal the processing method. Data may be processed using multiple methods to achieve a single purpose. However, you should still inform users as to the ways in which you plan to process their data to ensure that their consent is truly “informed.”
3. Withdrawal of Consent
One key element of gaining consent is making sure that unsubscribing or “withdrawing consent” is as easy as giving consent. Users should have access to information about how to withdraw consent right off the bat, and you should remind them often about how they can revoke their permission. Withdrawal of consent should be built-in and as simple as one click, if possible, and should never be more difficult than giving consent.
4. Necessity of Processing
One of the most important considerations to make when determining if your opt-in consent is compliant is whether or not the service is dependent on processing not required for the consented service. This means that marketing opt-in should be “unbundled” from your general terms of service. In other words, use of your app cannot be dependent on you being able to collect information that isn’t directly necessary for the purposes of the app.
If your service is technically dependent on you collecting certain information (i.e. for the use of cookie tracking for login continuity), then that method of processing may be bundled in certain circumstances. The line here is blurry, so we recommend you air on the safe side and consult with a legal professional when making a decision.
Recital 32 "Informed Consent"
Consent for processing must be given with a clear, intentional action. This means no more pre-checked boxes or “silent” opt-ins. Your users will need to make an “affirmative act” to show their consent. Users need to check a box, click a button, or otherwise do something to opt-in to processing, not click to opt-out.
Many will see this as a negative as you won’t be able to opt-in as many users, but think of it like this: would you rather send emails to everyone regardless of whether or not they actually want to get them, or would you rather have a list of highly-engaged, targeted users who opted-in to your emails because they wanted to?
The latter half of Recital 32 further breaks down the definition of “granular” or “modular” consent. Again, you’ll need to have separate permissions for separate purposes, and one consent action should equal one processing purpose. When describing the processing purpose, you should be sure to show how it is relevant to improving their experience. As that last sentence implies, giving consent (and opting out) should not be unnecessarily difficult or disruptive.
Recital 42 "Requirements for Consent"
Recital 42 may seem redundant, but it serves to further clarify exactly what is required for consent. It also acts as a summary of the conditions for consent.
Again, it’s vital that your organization is able to prove consent was given. This means you should be keeping detailed records and logs of when and how a user consented. You should also know how to access that information quickly and easily.
There’s more on the subject of “intelligible and easily accessible” forms, but with the additional conditions that opt-in should be written in “clear and plain language” and should not contain “unfair terms.” What does the bill mean by “unfair terms?” The precise definition is not made clear, so we can only wait and see how the courts rule to find out how this particular section will be enforced.
As in Article 7, the data subject should be informed of the identity of the processors and controllers as well as the purposes of the processing. That final sentence further solidifies that users cannot be coerced into providing consent, meaning that you can’t prevent an individual from using your service as a result of them refusing to opt-in (considering that the processing isn’t technically necessary for the service rendered).
Recital 43 "Freely Given Consent"
The first section of Recital 43 is meant to ensure that consent is freely given even in situations where there is a “clear imbalance” in terms of power between the processor and data subject. This clause is meant to deal with specific cases where the subject is not able to give consent freely due to an “imbalance” of power due to the data controller being a government entity. Most organizations can ignore this section.
The rest of Recital 43 focuses on describing granularity of consent in greater detail. If it is “appropriate” to have different opt-ins for different processing operations or purposes, it’s important that users have the option to do so. Since so much focus is placed on unbundling and granularity of consent, we suggest making your opt-in consent forms as specific as possible, with boxes to check for all of the ways you plan to process a subject’s data. The only time you should “bundle” consent for processing is when rendering of the service a user is signing up for would be impossible without it.
Elements of Compliant Opt-In Forms
Now that we've described the sections of GDPR related to consent in-detail, we'll briefly go over everything that is required (and suggested) for proper informed consent.
- Ability to provide proof of consent.
- Separate data processing opt-in from terms of service (when appropriate).
- Granular opt-in, one permission for one processing purpose.
- “Affirmative act” indicating consent.
- A way to revoke consent and information about how to do so.
- Identity and contact information for all processors.
- Information about why data is being collected/processed.
- Information about how long data will be kept.
- Information about security precautions taken.
- Easy access to data and metadata collected.
- Easy access to methods for rectifying and deleting data.
Consent under GDPR has many layers and there are many things that need to be considered in order to achieve compliance. However, since consent is such a key element of GDPR, it’s too important to ignore. Learning the requirements and making a few adjustments to your user registration and opt-in forms can go a long way toward making sure your organization remains compliant.
For organizations that only engage in email marketing, compliance can be relatively easy to achieve. However, if you’re a large organization collecting and processing user data in a multitude of ways your path to compliance will be a bit more complex.
We hope that this information provided some valuable insight into what consent means for GDPR compliance, and what you need to think about when gaining consent. If you're unsure as to whether you've collected proper consent from users, it's best to consult with a legal expert trained in GDPR compliance.
Cuttlesoft is a digital product development agency with expertise in data privacy and security. Find out how we can help.