GDPR Consent Examples

GDPR Consent Examples

In May 2018, the EU fired the Internet privacy shot heard around the world. Did you miss it? Likely not.

If you opened your email inbox in May, you likely noticed one thing: an onslaught of emails, from addresses you do and don't recognize, informing you that they've "updated their privacy policy."

For Europeans, it was another of the daily reminders that a new data law was about to come into place. But the flurry of consent emails left the rest of the world scratching their heads, Why is everyone updating their policies and asking for consent to them at the same time?

The reason was the introduction of the General Data Protection Regulation (GDPR).

Much of the GDPR is concerned with obtaining consent from visitors. To do that, you'll likely need to update your consent standards and mechanisms.

We'll make it easy to update your consent standards and stay online.


GDPR: What is it?

The GDPR isn't your enemy. It's a layer of protection for citizens - and it has some benefits for businesses, too.

At its core, the GDPR is a love letter from European bureaucrats to digital privacy rights. It took some of the best parts of the previous policy - the Data Protection Directive - and updated it for the modern, social internet.

The purpose of the rules was to bring every European country's data policies into sync to protect all EU citizens equally. The European Commission and leaders across the continent saw that the world became increasing data-centered in the time between the first data directive in 1995 and the way the internet is used now.

The GDPR is unlike anything currently in place in the United States. The US pieces together a mish-mash of federal and state laws to protect children or healthcare data. In Europe, the GDPR is an all-encompassing policy covering all types of data for all members of the European Union. Whether you're British or Irish, Czech or Slovak, if you're in the Union then you're covered by the GDPR.

The most important change to note is in the jurisdiction of the law. It applies to every company that interacts with personal data of subjects in the European Union, regardless of where the organization is based.

It doesn't matter if you're in New York or Nicaragua. If you're collecting data from any European from Galway to Greece, then the GDPR applies to you.

The GDPR focuses heavily on consent. Gone are the days of pre-checked boxes, illegible jargon, and hidden yet binding Terms of Service. The GDPR states that:

"Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."

What does this mean for you? Your consent mechanisms must reflect the new requirements.

Consent and the role it plays in processing isn't new, and the GDPR uses the same definition and role outlined in the Data Protection Act and other policies. Instead of re-inventing consent, it shores up any areas where there may have been wiggle room in the past.

Many of your previous methods of consent no longer qualify as consent under the new law.

Here are the two most popular consent methods that now violate EU law:

Browsewrap

Browsewrap is a way of getting users to give consent simply by using a website or service. The average browsewrap method features a statement within an agreement (such as a Privacy Policy) that says:

"Please note that your use of our Site constitutes your agreement to follow and be bound by the terms of this agreement."

Here's an example of a generic browsewrap statement in a legal agreement:

Generic browsewrap clause in Terms and Conditions

In essence, it assumes that users consent to your Terms of Service and Privacy Policy when they use your site. It doesn't matter whether the user ever read the Terms of Service. Consent is implied and assumed.

The EU doesn't allow browsewrap agreements to be used for consent anymore. Consent statements hidden away on a Terms of Service page aren't clear and accessible. They also don't feature affirmative consent. The GDPR requires a user to take a specific, affirmative action to show consent.

Pre-checked Boxes

A favorite consent trick of internet marketing experts is the pre-checked box. Often used for newsletter sign-ups, these boxes are featured on forms and require the user to un-check the box if they don't want to agree to something.

These are no longer allowed.

In the below image, both boxes would need to be presented as unchecked to users:

The Noun Project create account pop-up with pre-checked box for email signup consent: Not GDPR compliant

You're not allowed to punish users for not consenting to your policies. If a user doesn't agree to your cookie policy, you can't ban them from your site.

Until May 25th, 2018, consent was a one-off decision that may or may not have required an individual to tick a box or push a button to consent to your policies. If you used browsewrap, then it only required using the site.

Now, consent isn't something that happens once. It's organic and alive. Consent is an ongoing relationship that allows people to opt-in and opt-out to various data uses as they choose.

The GDPR requires:

  • Keeping good records of consent
  • Providing granular opt-in methods
  • Providing simple, easy ways of withdrawing consent

So, how do you update your consent mechanisms to comply with the GDPR and avoid those fines?

The Information Commissioner's Office in the UK provides a useful and detailed overview of consent in a GDPR world. From their advice, we've come up with a check-list for creating meaningful consent that complies with the GDPR:

  • Update your opt-in mechanism
  • Keep users informed by directing them to your Privacy Policy
  • Add new consent for cookies
  • Update your policies to remove browsewrap
  • Inform users how to withdraw consent

Update Your Opt-In Mechanism

Consent mandates an active, positive opt-in to your data policy from the GDPR update and whenever you make material changes to it.

The first time someone navigates to your site after a serious policy change, consent needs to be obtained. Give them a box to manually check or an "Agree" button to click.

If you're adding in multiple options like allowing them to agree to your Terms and Conditions in one clause and your Privacy Notice separately, then both must include the same prominence.

Here's an example of GDPR compliant consent from The Atlantic:

The Atlantic: Cookies and privacy notice with I Agree button for consent

Visitors must actively click the "I Agree" button to consent to The Atlantic's data policies.

Here's an example of how Adobe ID gets consent for its legal agreements, as well as consent to communicate with users via email in the same sign-up form by using two separate opt-in checkboxes:

Adobe ID Sign-up form with checkboxes for clickwrap consent for Terms of Use, Privacy Policy and email

Keep Users Informed: Direct them to Your Privacy Policy

Consent doesn't just mean securing affirmative consent. It also requires you to make it easier for people to understand what their consent means.

While most of us don't review a site's Privacy Notice before we browse, the EU wants you to put your Privacy Policy right under visitors' noses. It also wants those policies to be easy to read and understand. No legalese allowed. No tiny fonts. No never-ending paragraphs.

In the example above from The Atlantic, note how the Privacy Policy is linked to the notice where consent is requested. Users can easily access the policy for more information. The same is done with the example from Adobe ID.

Always make your policies and agreements easily accessible, especially at the moment you're asking for consent.

Cookies aren't a big focus of the GDPR, but they are mentioned explicitly. Cookies are now personal data when they can be used to identify a person.

A common way of creating cookie consent is notifying users with a pop-up banner the first time the person visits the website. The notice should have an "agree" or "accept" button.

Remember, it must be as easy to reject cookies as it is to accept them.

Hertz shows a notification solely dedicated to the way the website uses cookies and explains its policy in detail. It shows users how to disable cookies for Hertz.com and creates consent not through an agreement button but by clicking "Close X" or exiting the message.

Hertz Use of Cookies notice

Here's how Computerworld requests consent to place cookies on mobile devices:

Computerworld mobile cookies notification with decline and accept buttons

Note the clear way that users are presented with options to accept or decline. A link to the Cookie Policy is included at the beginning of the consent request.

Update Your Policies to Remove Browsewrap

As previously mentioned, browsewrap practices no longer count as consent under GDPR. This means that if you previously used that method of obtaining consent, it's time to update your agreements and policies to remove this language.

Consent is no longer an action but a process. European users now have the right to provide and withdraw consent when they choose without impacting their service.

Your responsibility is to inform users how to withdraw consent. It must be as easy to opt-out as it is to opt-in, and you can't punish users for choosing to opt out.

When users sign up for something, you can let them know at that time that they can withdraw consent or opt out at any time, like in this subscribe form from WebMD:

WebMD email subscribe form using clickwrap for consent and providing opt-out notice

You can include instructions in your Privacy Policy and/or Terms and Conditions for how to opt out or adjust consent preferences.

Here's how DPN does it with a clause in its Privacy Statement:

DPN Privacy Statement: Your rights regarding your personal data clause: GDPR

You can also utilize forms and interfaces to make it more convenient, easy and streamlined for users to make adjustments.

The popular content site HelloGiggles includes a link to EU Data Subject Requests in the footer of the website.

HelloGiggles website footer with EU Data Subject Requests link

The clickable link directs to a simple form that allows users to take a number of different actions and make requests, including the request to opt-out.

Meredith form and portal with EU data subject request options including opt-out, update, object, etc. under GDPR

The more traditional method of allowing users to opt out or withdraw consent involves adding contact details to your Privacy Policy. The New York Times did just that:

The New York Times Privacy Policy: Contact Us clause

To deal with privacy concerns, you can send an email, a letter, or call the New York Times.

Remember

The GDPR looks for consent mechanisms that are straightforward. Do the following when asking for user consent:

  • Add an "I agree" button or some sort of clear, active way to give consent.
  • Use granular methods. Ask for consent for different things separately.
  • Link your different policies and agreements to where you're asking for consent.
  • Make it as easy to withdraw as it is to give consent.
  • Get rid of browsewrap, pre-checked boxes and mandatory consent requirements.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.