Consent is one of the many legal bases under which you can collect and process personal data when it comes to the GDPR. However, the GDPR has changed the way consent is obtained. Here's what you need to know about consent under the GDPR.
Read the related blog post here: https://termsfeed.com/blog/consent-under-gdpr/
2. Under the GDPR, consent is one of the acceptable
legal bases for collecting and processing personal
data from residents of the EU.
Here’s what the GDPR requires when it comes to
consent.
4. Let’s break down this definition into 4 different
requirements for consent.
5. Freely given1
For consent to be freely given, users must be given
a choice on whether to provide personal data or
not.
You can no longer count simply using a website as
giving consent.
6. Specific2
You must get specific consent for each different
use of personal data.
If you want to use personal data for marketing and
for analytics, you must get consent for each.
7. Informed and unambiguous3
Inform your users what information you’re requesting
and how it will be used.
Then, make sure your request for consent is simple
and straightforward.
8. Clear affirmative action4
Make your users take a clear affirmative action to
show they consent, such as ticking a checkbox or
clicking a clearly-labeled button.
9. Article 7 of the GDPR includes 4 conditions for consent:
11. Keep a record of each instance of consent you obtain
from EU residents and be able to provide proof.1
If you are currently unable to do so, you may need
to do a re-permission campaign.
This is when you send an email to all currently-sub-
scribed users asking them to actively re-opt-in to
establish proof of consent.
12.
13. If consent is given within a page or interface that
contains a number of elements (such as a registration
form), the request for consent should be separate and
easily distinguishable from other subject matter using
clear and plain language.
2
Note how these consent checkboxes stand out
with placement and uppercase font.
14.
15. Always provide a way for users to revoke consent.3
Revoking consent should be as easy as giving it.
16.
17. Consent will not be considered as “freely given” if the
consumer is required to provide information that is not
necessary to complete a service.
4
Don’t collect any information that you do not need
in order to provide your services.
18. So, how exactly should you go about obtaining consent
from EU residents to be compliant with the GDPR?
19. Make sure you do not use browsewrap to get consent.
Browsewrap -- a common and widespread method for
getting consent -- is not valid under the GDPR.
20. Browsewrap is when you include a statement in
your Privacy Policy or Terms and Conditions that
says something like, “By using this website, you’re
consenting to the collection and use of your
personal information.”
Here’s an example of browsewrap in action in an
old Privacy Policy from Novartis:
21.
22. With this method, most users won’t have any idea
that they’ve consented to anything just by using a
website.
It doesn’t inform users, and doesn’t give web-
site/app owners documentable consent.
23. Note that after the GDPR took effect, Novartis updated its
Privacy Policy to remove this language:
24. In contrast to browsewrap is clickwrap, which is the best
way to get clear, affirmative consent.
Clickwrap is when a user must actively click or do some
affirmative action to show they agree or consent.
In this example, users are tapping “I Agree,” and a short
explanation makes it clear what they’re agreeing to by
doing so.
25.
26. Clickwrap helps keep users informed as to exactly what
they’re agreeing and consenting to.
It also helps website/app owners obtain recordable
agreement/consent from users.
28. First, remember what they should not look like.
Don’t use browsewrap statements in your legal agreements
and assume that’s good enough. It isn’t.
29.
30. Don’t use pre-checked boxes when getting consent.
Boxes must be left empty so a user is only opting in or
agreeing if he takes an affirmative action to check the
box.
31.
32. Now let’s look at a few Do’s for getting
GDPR-compliant consent.
33. Consent for your Privacy Policy and other legal agreements
Before you collect any personal information -- typically
at the time of account registration or sign-up -- present
users with links to your legal agreements and a clear
way for them to agree to them.
34. Here’s how PayPal does this with
agreement links, a short statement
and a checkbox.
35. Consent for Collection of Personal Information via Cookies
If you place cookies that collect personal information,
you need to get consent for this.
Do this in a banner or pop-up notification that:
36. Identifies what types of cookies you use, what
information they collect and why
Lets users access additional information
(Privacy/Cookies Policy, Cookie Settings, etc.)
Gets clear, affirmative consent to place these
cookies
37.
38.
39. Note that you don’t have to get consent to place
functionality and other non-personally-identifying
cookies, but you still need to disclose their use.
40. Consent for your Marketing Communications
It is a common practice for businesses to say that by
signing up for an account, you’re agreeing to receive
marketing communications from them.
However, under the GDPR, this is not acceptable.
41.
42. You must get clear and affirmative consent to send marketing
communications.
44. Remember:
Consent is one of the legal bases for collecting
personal information under the GDPR.
It must be freely given, specific, informed and
unambiguous, with a clear affirmative action.
Browsewrap is out. Go with clickwrap.
No pre-checked boxes.
45. Remember:
Keep records of consent.
Get consent before collecting any personal
information.
Get consent before placing any cookies that
collect personal information.
Allow consent to be easily withdrawn.