25 September 2019
In May 2018, the EU fired the Internet privacy shot heard around the world. Did you miss it? Likely not.
For Europeans, it was another of the daily reminders that a new data law was about to come into place. But the flurry of consent emails left the rest of the world scratching their heads, Why is everyone updating their policies and asking for consent to them at the same time?
The reason was the introduction of the General Data Protection Regulation (GDPR).
Much of the GDPR is concerned with obtaining consent from visitors. To do that, you'll likely need to update your consent standards and mechanisms.
We'll make it easy to update your consent standards and stay online.
The GDPR isn't your enemy. It's a layer of protection for citizens - and it has some benefits for businesses, too.
At its core, the GDPR is a love letter from European bureaucrats to digital privacy rights. It took some of the best parts of the previous policy - the Data Protection Directive - and updated it for the modern, social internet.
The purpose of the rules was to bring every European country's data policies into sync to protect all EU citizens equally. The European Commission and leaders across the continent saw that the world became increasing data-centered in the time between the first data directive in 1995 and the way the internet is used now.
The GDPR is unlike anything currently in place in the United States. The US pieces together a mish-mash of federal and state laws to protect children or healthcare data. In Europe, the GDPR is an all-encompassing policy covering all types of data for all members of the European Union. Whether you're British or Irish, Czech or Slovak, if you're in the Union then you're covered by the GDPR.
The most important change to note is in the jurisdiction of the law. It applies to every company that interacts with personal data of subjects in the European Union, regardless of where the organization is based.
It doesn't matter if you're in New York or Nicaragua. If you're collecting data from any European from Galway to Greece, then the GDPR applies to you.
The GDPR focuses heavily on consent. Gone are the days of pre-checked boxes, illegible jargon, and hidden yet binding Terms of Service. The GDPR states that:
"Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."
What does this mean for you? Your consent mechanisms must reflect the new requirements.
Consent and the role it plays in processing isn't new, and the GDPR uses the same definition and role outlined in the Data Protection Act and other policies. Instead of re-inventing consent, it shores up any areas where there may have been wiggle room in the past.
Many of your previous methods of consent no longer qualify as consent under the new law.
Here are the two most popular consent methods that now violate EU law:
"Please note that your use of our Site constitutes your agreement to follow and be bound by the terms of this agreement."
Here's an example of a generic browsewrap statement in a legal agreement:
The EU doesn't allow browsewrap agreements to be used for consent anymore. Consent statements hidden away on a Terms of Service page aren't clear and accessible. They also don't feature affirmative consent. The GDPR requires a user to take a specific, affirmative action to show consent.
A favorite consent trick of internet marketing experts is the pre-checked box. Often used for newsletter sign-ups, these boxes are featured on forms and require the user to un-check the box if they don't want to agree to something.
These are no longer allowed.
In the below image, both boxes would need to be presented as unchecked to users:
Until May 25th, 2018, consent was a one-off decision that may or may not have required an individual to tick a box or push a button to consent to your policies. If you used browsewrap, then it only required using the site.
Now, consent isn't something that happens once. It's organic and alive. Consent is an ongoing relationship that allows people to opt-in and opt-out to various data uses as they choose.
The GDPR requires:
So, how do you update your consent mechanisms to comply with the GDPR and avoid those fines?
The Information Commissioner's Office in the UK provides a useful and detailed overview of consent in a GDPR world. From their advice, we've come up with a check-list for creating meaningful consent that complies with the GDPR:
Consent mandates an active, positive opt-in to your data policy from the GDPR update and whenever you make material changes to it.
The first time someone navigates to your site after a serious policy change, consent needs to be obtained. Give them a box to manually check or an "Agree" button to click.
If you're adding in multiple options like allowing them to agree to your Terms and Conditions in one clause and your Privacy Notice separately, then both must include the same prominence.
Here's an example of GDPR compliant consent from The Atlantic:
Visitors must actively click the "I Agree" button to consent to The Atlantic's data policies.
Here's an example of how Adobe ID gets consent for its legal agreements, as well as consent to communicate with users via email in the same sign-up form by using two separate opt-in checkboxes:
Consent doesn't just mean securing affirmative consent. It also requires you to make it easier for people to understand what their consent means.
Always make your policies and agreements easily accessible, especially at the moment you're asking for consent.
Cookies aren't a big focus of the GDPR, but they are mentioned explicitly. Cookies are now personal data when they can be used to identify a person.
A common way of creating cookie consent is notifying users with a pop-up banner the first time the person visits the website. The notice should have an "agree" or "accept" button.
Remember, it must be as easy to reject cookies as it is to accept them.
Here's how Computerworld requests consent to place cookies on mobile devices:
As previously mentioned, browsewrap practices no longer count as consent under GDPR. This means that if you previously used that method of obtaining consent, it's time to update your agreements and policies to remove this language.
Consent is no longer an action but a process. European users now have the right to provide and withdraw consent when they choose without impacting their service.
Your responsibility is to inform users how to withdraw consent. It must be as easy to opt-out as it is to opt-in, and you can't punish users for choosing to opt out.
When users sign up for something, you can let them know at that time that they can withdraw consent or opt out at any time, like in this subscribe form from WebMD:
Here's how DPN does it with a clause in its Privacy Statement:
You can also utilize forms and interfaces to make it more convenient, easy and streamlined for users to make adjustments.
The popular content site HelloGiggles includes a link to EU Data Subject Requests in the footer of the website.
The clickable link directs to a simple form that allows users to take a number of different actions and make requests, including the request to opt-out.
To deal with privacy concerns, you can send an email, a letter, or call the New York Times.
The GDPR looks for consent mechanisms that are straightforward. Do the following when asking for user consent:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.