Unless your business is located under a very large rock, you are aware of the sweeping privacy regulation that will be going live on May 25, 2018. Companies like Google are already sending out massive communications to their user lists to make them aware of upcoming changes and compliance efforts.
Although it would take an entire e-book to explain the full intricacies of the GDPR regulation, here is a simplified list of its key guidelines:
If you rely on consent as your legal basis for collecting personal data, you must obtain and record the express consent of each user before collecting any data.
Privacy Policies must be easy to understand and easy to access.
Personal data that you collect must be accessible to users for their viewing, editing, or deleting.
Privacy and data security should be infused into general business practices by default (Privacy by Design).
Who Does the GDPR Apply to?
Almost all online businesses across the world will be affected by the GDPR. Any company that collects personal information from residents of the EU will be required to comply.
According to the GDPR's definition of personal data, if your website or mobile app has collected or will collect so much as an IP address from an EU resident, then you will be required to process that data in compliance with GDPR regulations.
This screenshot of Article 4 of the GDPR shows the broad definition of personal information that applies to EU residents:
Most developed countries, including the USA and Canada, will be cooperating with the EU to enforce these rules, as well as the hefty fines that will be charged for infractions.
The New Definition of Valid Consent
Gone are the days of pre-ticked checkboxes and implied consent. The GDPR is extremely specific when it comes to defining valid consent:
Let's dissect this statement.
There are four different prerequisites that must be met for consent to be considered valid:
Freely-given: This means that the user is given a clear choice on whether to provide personal data or not. Simply navigating or using an online service does not imply consent.
Specific: Visitors must agree specifically to each use of their information, such as sharing for analytics or marketing purposes.
Informed and unambiguous: Inform users of each type of information you collect and how it is used. Consent must be straightforward and intelligible after users have been informed.
Clear affirmative action: A clear, affirmative action is any action that proves consent, whether it be the tick of a checkbox or the click of a button.
This specific and detailed definition of consent is designed to eradicate previously vague or implied methods of obtaining consent, ensuring that all users are fully aware of how their information is collected and used, as well as the choices they have regarding their own privacy.
Now that advertising cookies and user tracking are commonplace, it is understandable that consumers and their elected lawmakers wish to exert more control over personal information.
The Old Ways
It is important to differentiate between the new methods of obtaining consent under the GDPR versus the common "implied consent" that is still in widespread use today.
One way to understand this is to note the difference between browsewrap and clickwrap agreements.
These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.
Remember: A clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.
How NOT to Obtain Consent
They say a picture is worth a thousand words, so here are a few visual examples of common practices that WILL NOT be considered valid consent under the GDPR regulation:
2. Do not post a cookies notice that looks like this:
This is the pop-up Cookies Notice that appears on the Novartis website.
3. Do not pre-tick checkboxes or assume automatic consent for marketing communications when a visitor registers for your service:
The checkboxes for marketing communications from Apple's registration form are already pre-ticked when the user accesses the form, forcing them to untick the box in order to opt-out of communication. This is not unambiguous or freely-given consent under the GDPR.
This form does not even give the consumer the option to opt-out, simply assuming their consent to receive marketing communications. This will not fly under the GDPR.
Compliant Ways to Obtain Valid Consent
Now that we've looked at a few ways of how NOT to do things, let's take a look at the right way to obtain valid consent according to the GDPR.
They ask users to actively agree before browsing the website.
Although this may seem above and beyond the minimum requirements for the GDPR, there can be no doubt that users were given every opportunity to understand and consent to the collection of their personal information.
2. Consent for the collection of personal information via cookies
Although cookies notices have been required for EU companies for some time, they are now required for any business in the world that collects data about EU residents.
Now, users will need more than an informative cookies banner.
As demonstrated by the MailChimp cookies notice below, visitors must be informed of the types of cookies being used, what information they collect, and why.
In addition, users must click to agree to the cookies before they can be placed.
When the visitor clicks the "Cookies Settings" link in the notice above, a settings interface opens where visitors can toggle different types of cookies on or off:
Many businesses are approaching the cookies notice in this way, allowing users to choose which kinds of cookies they wish to accept. The Mailchimp cookies notice allows visitors to opt-in or out of marketing and browsing cookies, but not the basic functionality cookies.
Under the GDPR, only cookies that are required for the functionality of the website - and do not identify users - may be placed without consent. However, users should still be informed of the presence of these cookies within the cookies notice.
3. Consent for marketing communications
As of now, many businesses are still using the pre-ticked checkbox method for consent to receive marketing communications. As discussed above, this will not be considered a valid method of obtaining consent.
Instead, users must make a clear, affirmative action to accept marketing communications.
The checkbox is the simplest method, as shown below by BP.
The GDPR strongly recommends that users are given more choices, options and relevant information whenever personal information is requested, as seen below:
In its miscellaneous enquiry contact form, Age UK gives users a choice between different contact methods.The great thing about this method is that some surveys show that consumers are more likely to consent to marketing communications if they are given more choices.
When given the opportunity to choose between email, telephone, text, or not at all, more people opt-in to some type of marketing communications over a total opt-out.
Sometimes even given a simple choice between yes and no can increase opt-in statistics over the simple checkbox consent method.
Here's how Sainsbury's gives visitors a yes or no choice for receiving marketing communications:
Other Conditions of Consent
After obtaining consumer consent, there are more stipulations from the GDPR about recording and keeping that consent:
As you can see in the screenshot of GDPR Article 7 above, there are four basic conditions when it comes to maintaining consent for data processing:
Consent must be recorded and you should be prepared to provide proof of valid consent for every single EU consumer that you hold information on.
On this point, many ask, "But what about the data I collected with noncompliant methods or never kept a record of?"
The answer is, you may need to re-permission your entire database of EU consumers, especially if you plan to send them marketing communications.
This may sound daunting, but it can be accomplished by sending an email that asks each user to update their information and confirm their consent for you to use or share their personal data.
Although you may lose a few users after implementing this method (those who ignore the email will need to be deleted), it will reduce your liability and the possibility of hefty fines.
If consent is given within a page or interface that contains various elements, such as a registration form, the request for consent should be separate and easily distinguishable from other subject matter using clear and plain language.
Jimmy Choo separates the marketing consent checkbox from other elements in the registration form, explaining what it means to subscribe:
Users must be provided with and informed of a way to withdraw consent at any time. Withdrawing consent should be as easy a process to complete as the process used to give consent.
Auchan provides users with instructions on how to access and edit their personal data within the newsletter signup interface:
When people sign up for communications from Age UK, there's a statement letting them know that they can change their minds at any time by emailing the company:
Consent will not be considered as "freely given" if the consumer is required to provide information that is not necessary to complete a service. In other words, don't collect any information that you do not need in order to provide your services.
Final Points to Keep in Mind
When it comes to the new laws regarding consent under the GDPR, it may be necessary to do an intensive data and consent analysis to make sure your methods and database are compliant.
Remember, not only should your consent request methods be compliant, you must also be prepared to provide a record of valid consent for each EU consumer in your database.
If you're not sure that you can do this, it may be necessary to perform a re-permission campaign.
Once you have all your consent ducks in a row, you can rest assured that your users will feel secure and well-informed, and you'll be able to legally obtain customers from anywhere in the world.