CONSENT: THE CORNERSTONE OF COMPLIANCE
The EU’s General Data Protection Regulation (GDPR) sets forth a new standard for how organizations can interact with their customer’s data. In the past, companies have been relatively cavalier with their use of personal data. Now, there’s a strict set of guidelines about how and when you can use data for remarketing, emailing, profiling, and other forms of processing.
The biggest changes are around “legitimate interest,” legal use of data, and consent. Under GDPR, in order to send your users emails, track them with cookies, use them for profiling, or do anything else with their personal data, you’ll need to gain informed consent first.
This post relies on a basic understanding of GDPR concepts, so if you’re totally unfamiliar, we suggest you read our introduction to GDPR compliance before going any further.
HOW GDPR DEFINES CONSENT
Consent under GDPR means that a user has given you explicit permission to process their data and that they’ve been informed of the necessary conditions upon giving consent. Article 7, as well as recitals 32, 42, and 43 of GDPR describe the necessary conditions for gaining consent.
- Article 7, “Foundations of Consent,” refers to the demonstration, granularity, and withdrawal of a data subject’s given consent.
- Recital 32, “Informed Consent,” goes into greater detail about the necessary information to be provided for informed consent.
- Recital 42, “Requirements for Consent,” further describes the required materials for proper consent and acts as a summary of the conditions.
- Recital 43, “Freely Given Consent,” describes the aspects of consent when there is an “imbalance of power” between subject and processor.
ARTICLE 7 “FOUNDATIONS OF CONSENT”
1. DEMONSTRATION OF CONSENT
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
If the processing you plan to perform is justified by consent only, and not by any other legally applicable means, you must be able to prove that consent was given. The burden of proof is on your organization to verify when and how a user gave consent for the specific purposes that you’re using their data.
2. GRANULARITY OF CONSENT
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
Your opt-in checkboxes on consent forms should be one-to-one, meaning that one opt-in action equals one processing purpose. For example, you might have two separate checkboxes – one for newsletter signups, and one that allows you to process data for online ads profiling. Note that the processing purpose does not always equal the processing method. Data may be processed using multiple methods to achieve a single purpose. However, you should still inform users as to the ways in which you plan to process their data to ensure that their consent is truly “informed.”
3. WITHDRAWAL OF CONSENT
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
One key element of gaining consent is making sure that unsubscribing or “withdrawing consent” is as easy as giving consent. Users should have access to information about how to withdraw consent right off the bat, and you should remind them often about how they can revoke their permission. Withdrawal of consent should be built-in and as simple as one click, if possible, and should never be more difficult than giving consent.
4. NECESSITY OF PROCESSING
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
One of the most important considerations to make when determining if your opt-in consent is compliant is whether or not the service is dependant on processing not required for the consented service. This means that marketing opt-in should be “unbundled” from your general terms-of-service. In other words, use of your app cannot be dependant on you being able to collect information that isn’t directly necessary for the purposes of the app.
If your service is technically dependant on you collecting certain information (i.e. for the use of cookie tracking for login-continuity), then that method of processing may be bundled in certain circumstances. The line here is blurry, so we recommend you air on the safe side and consult with a legal professional when making a decision.
Protecting your organization is really about protecting your users. Cuttlesoft can help secure private data, and reduce the damage done by leaks.
Reach out to our experts today.
RECITAL 32 “INFORMED CONSENT”
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Consent for processing must be given with a clear, intentional action. This means no more pre-checked boxes or “silent” opt-ins. Your users will need to make an “affirmative act” to show their consent. Users need to check a box, click a button, or otherwise do something to opt-in to processing, not click to opt-out.
Many will see this as a negative as you won’t be able to opt-in as many users, but think of it like this: would you rather send emails to everyone regardless of whether or not they actually want to get them, or would you rather have a list of highly-engaged, targeted users who opted-in to your emails because they wanted to?
The latter half of Recital 32 further breaks down the definition of “granular” or “modular” consent. Again, you’ll need to have separate permissions for separate purposes, and one consent action should equal one processing purpose. When describing the processing purpose, you should be sure to show how it is relevant to improving their experience. As that last sentence implies, giving consent (and opting out) should not be unnecessarily difficult or disruptive.
RECITAL 42 “REQUIREMENTS FOR CONSENT”
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
Recital 42 may seem redundant, but it serves to further clarify exactly what is required for consent. It also acts as a summary of the conditions for consent.
Again, it’s vital that your organization is able to prove consent was given. This means you should be keeping detailed records and logs of when and how a user consented. You should also know how to access that information quickly and easily.
There’s more on the subject of “intelligible and easily accessible” forms, but with the additional conditions that opt-in should be written in “clear and plain language” and should not contain “unfair terms.” What does the bill mean by “unfair terms?” The precise definition is not made clear, so we can only wait and see how the courts rule to find out how this particular section will be enforced.
As in Article 7, the data subject should be informed of the identity of the processors and controllers as well as the purposes of the processing. That final sentence further solidifies that users cannot be coerced into providing consent, meaning that you can’t prevent an individual from using your service as a result of them refusing to opt-in (considering that the processing isn’t technically necessary for the service rendered).
RECITAL 43 “FREELY GIVEN CONSENT”
“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
The first section of Recital 43 is meant to ensure that consent is freely given even in situations where there is a “clear imbalance” in terms of power between the processor and data subject. This clause is meant to deal with specific cases where the subject is not able to give consent freely due to an “imbalance” of power due to the data controller being a government entity. Most organizations can ignore this section.
The rest of Recital 43 focuses on describing granularity of consent in greater detail. If it is “appropriate” to have different opt-ins for different processing operations or purposes, it’s important that users have the option to do so. Since so much focus is placed on unbundling and granularity of consent, we suggest making your opt-in consent forms as specific as possible, with boxes to check for all of the ways you plan to process a subject’s data. The only time you should “bundle” consent for processing is when rendering of the service a user is signing up for would be impossible without it.
ELEMENTS OF COMPLIANT OPT-IN FORMS
Now that we’ve described the sections of GDPR related to consent in-detail, we’ll briefly go over everything that is required (and suggested) for proper informed consent.
- Ability to provide proof of consent.
- Separate data processing opt-in from terms of service (when appropriate).
- Granular opt-in, one permission for one processing purpose.
- “Affirmative act” indicating consent.
- A way to revoke consent and information about how to do so.
- Identity and contact information for all processors.
- Information about why data is being collected/processed.
- Information about how long data will be kept.
- Information about security precautions taken.
- Easy access to data and metadata collected.
- Easy access to methods for rectifying and deleting data.
Consent under GDPR has many layers and there are many things that need to be considered in order to achieve compliance. However, since consent is such a key element of GDPR, it’s too important to ignore. Learning the requirements and making a few adjustments to your user registration and opt-in forms can go a long way towards making sure your organization remains compliant.
For organizations that only engage in email marketing, compliance can be relatively easy to achieve. However, if you’re a large organization collecting and processing user data in a multitude of ways your path to compliance will be a bit more complex.
We hope that this information provided some valuable insight into what consent means for GDPR compliance, and what you need to think about when gaining consent. If you’re unsure as to whether you’ve collected proper consent from users, it’s best to consult with a legal expert trained in GDPR compliance.
Cuttlesoft is a digital product development agency with expertise in data privacy and security. Find out how we can help.