Consent Under the GDPR

Consent Under the GDPR

One of the biggest changes that the GDPR is bringing is how businesses obtain valid consent to collect and use personal information from EU citizens.

Until now, there have been a variety of ways that consent could be obtained.

The GDPR changes that and makes consent requirements far more specific and strict.

This article will take a look at exactly how the GDPR affects consent, and what you can do to make sure your methods of obtaining consent are compliant if they aren't already.

GDPR 101

Unless your business is located under a very large rock, you are aware of the sweeping privacy regulation that will be going live on May 25, 2018. Companies like Google are already sending out massive communications to their user lists to make them aware of upcoming changes and compliance efforts.

Although it would take an entire e-book to explain the full intricacies of the GDPR regulation, here is a simplified list of its key guidelines:

  • If you rely on consent as your legal basis for collecting personal data, you must obtain and record the express consent of each user before collecting any data.
  • Privacy Policies must be easy to understand and easy to access.
  • Personal data that you collect must be accessible to users for their viewing, editing, or deleting.
  • Privacy and data security should be infused into general business practices by default (Privacy by Design).
  • Changes to your Privacy Policy as well as any data breaches must be reported in a timely manner.

Who Does the GDPR Apply to?

Almost all online businesses across the world will be affected by the GDPR. Any company that collects personal information from residents of the EU will be required to comply.

According to the GDPR's definition of personal data, if your website or mobile app has collected or will collect so much as an IP address from an EU resident, then you will be required to process that data in compliance with GDPR regulations.

This screenshot of Article 4 of the GDPR shows the broad definition of personal information that applies to EU residents:

GDPR Article 4 Section 1: Definitions - Personal Data

Most developed countries, including the USA and Canada, will be cooperating with the EU to enforce these rules, as well as the hefty fines that will be charged for infractions.

Gone are the days of pre-ticked checkboxes and implied consent. The GDPR is extremely specific when it comes to defining valid consent:

GDPR Article 4 Section 11: Definitions - Consent

Let's dissect this statement.

There are four different prerequisites that must be met for consent to be considered valid:

  • Freely-given: This means that the user is given a clear choice on whether to provide personal data or not. Simply navigating or using an online service does not imply consent.
  • Specific: Visitors must agree specifically to each use of their information, such as sharing for analytics or marketing purposes.
  • Informed and unambiguous: Inform users of each type of information you collect and how it is used. Consent must be straightforward and intelligible after users have been informed.
  • Clear affirmative action: A clear, affirmative action is any action that proves consent, whether it be the tick of a checkbox or the click of a button.

This specific and detailed definition of consent is designed to eradicate previously vague or implied methods of obtaining consent, ensuring that all users are fully aware of how their information is collected and used, as well as the choices they have regarding their own privacy.

Now that advertising cookies and user tracking are commonplace, it is understandable that consumers and their elected lawmakers wish to exert more control over personal information.

The Old Ways

It is important to differentiate between the new methods of obtaining consent under the GDPR versus the common "implied consent" that is still in widespread use today.

One way to understand this is to note the difference between browsewrap and clickwrap agreements.

A browsewrap agreement takes place when a website or mobile app posts links to their Privacy Policy throughout the platform and so it is assumed that since users have ample opportunity to read the Privacy Policy, they must consent to everything it contains by default.

Novartis informs users that browsing their website is an automatic agreement to Privacy Policy terms. Note the text in all caps. This is a browsewrap agreement:

Novartis Privacy Policy: Intro clause

By contrast, a clickwrap agreement takes place when a user is provided with a link to the Privacy Policy or other terms and must manually click to accept those terms before using the online service.

Slack's mobile app requires users to agree to a Privacy Policy and Terms during the registration process. This is a clickwrap agreement:

Slack's Review the Terms consent box with "I Agree" - clickwrap

These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.

Remember: A clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.

They say a picture is worth a thousand words, so here are a few visual examples of common practices that WILL NOT be considered valid consent under the GDPR regulation:

1. Do not assume you get valid user consent because you include something like the following paragraph in your Privacy Policy or Terms:

Wordfence Privacy Policy: Intro clause using browsewrap

The terminology above, found within the Wordfence Privacy Policy, is the very definition of implied consent. Businesses may no longer assume consent is given simply because a visitor browses or uses an online service.

The same goes for the use of cookies:

J.P. Morgan Cookie Policy: Important Notice Intro clause using browsewrap

J.P. Morgan's Cookie Policy implies consent with the statement "By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy." This is not compliant with GDPR policy.

2. Do not post a cookies notice that looks like this:

Novartis cookies pop-up notice using browsewrap for consent

This is the pop-up Cookies Notice that appears on the Novartis website.

Again, any terminology that states "By continuing to browse the site you are agreeing to accept our use of cookies" will no longer be considered compliant. The user must be informed about the site's use of cookies and take a clear, affirmative action to consent to that usage of their personal data.

3. Do not pre-tick checkboxes or assume automatic consent for marketing communications when a visitor registers for your service:

Apple's Create Apple ID form showing checkboxes pre-ticked: Not GDPR-compliant

The checkboxes for marketing communications from Apple's registration form are already pre-ticked when the user accesses the form, forcing them to untick the box in order to opt-out of communication. This is not unambiguous or freely-given consent under the GDPR.

Here's a different example from

Etsy's Create an Account form with no opt-in consent for marketing communications - Not GDPR-compliant

This form does not even give the consumer the option to opt-out, simply assuming their consent to receive marketing communications. This will not fly under the GDPR.

Now that we've looked at a few ways of how NOT to do things, let's take a look at the right way to obtain valid consent according to the GDPR.

Your Privacy Policy will describe all of the ways that you obtain and use the personal data of your users. Give your users multiple opportunities to access and read the Policy Policy and request consent before they use your services:

PayPal's mobile Create Account form with clickwrap checkbox - GDPR-compliant

In addition to multiple links to the Privacy Policy throughout their mobile app, PayPal also asks users to click to agree to the Privacy Policy during the registration process.

Another way to request consent for your Privacy Policy or Terms is to include it within your cookies or GDPR notice:

Hewlett Packard cookies notice with Continue button for consent

Hewlett Packard Enterprise gives users a thorough explanation of their use of cookies as well as a prominent link to the Privacy Policy within the cookies notice that pops up upon navigating to their homepage.

They ask users to actively agree before browsing the website.

Although this may seem above and beyond the minimum requirements for the GDPR, there can be no doubt that users were given every opportunity to understand and consent to the collection of their personal information.

Although cookies notices have been required for EU companies for some time, they are now required for any business in the world that collects data about EU residents.

Now, users will need more than an informative cookies banner.

As demonstrated by the MailChimp cookies notice below, visitors must be informed of the types of cookies being used, what information they collect, and why.

In addition, users must click to agree to the cookies before they can be placed.

MailChimp's "Accept Cookies" footer banner notification

When the visitor clicks the "Cookies Settings" link in the notice above, a settings interface opens where visitors can toggle different types of cookies on or off:

MailChimp's Privacy Preference Center with cookies settings

Many businesses are approaching the cookies notice in this way, allowing users to choose which kinds of cookies they wish to accept. The Mailchimp cookies notice allows visitors to opt-in or out of marketing and browsing cookies, but not the basic functionality cookies.

Under the GDPR, only cookies that are required for the functionality of the website - and do not identify users - may be placed without consent. However, users should still be informed of the presence of these cookies within the cookies notice.

As of now, many businesses are still using the pre-ticked checkbox method for consent to receive marketing communications. As discussed above, this will not be considered a valid method of obtaining consent.

Instead, users must make a clear, affirmative action to accept marketing communications.

The checkbox is the simplest method, as shown below by BP.

BP Driver Rewards sign-up form with checkboxes for consent to receive emails and agree to Terms - GDPR-compliant

The GDPR strongly recommends that users are given more choices, options and relevant information whenever personal information is requested, as seen below:

Age UK's Miscellaneous Enquiry contact form with opt-in and consent for communications

In its miscellaneous enquiry contact form, Age UK gives users a choice between different contact methods.The great thing about this method is that some surveys show that consumers are more likely to consent to marketing communications if they are given more choices.

When given the opportunity to choose between email, telephone, text, or not at all, more people opt-in to some type of marketing communications over a total opt-out.

Sometimes even given a simple choice between yes and no can increase opt-in statistics over the simple checkbox consent method.

Here's how Sainsbury's gives visitors a yes or no choice for receiving marketing communications:

Sainsbury's Contact permission form at registration with opt-in and opt-out options

After obtaining consumer consent, there are more stipulations from the GDPR about recording and keeping that consent:

GDPR Article 7: Conditions for Consent

As you can see in the screenshot of GDPR Article 7 above, there are four basic conditions when it comes to maintaining consent for data processing:

  1. Consent must be recorded and you should be prepared to provide proof of valid consent for every single EU consumer that you hold information on.

    On this point, many ask, "But what about the data I collected with noncompliant methods or never kept a record of?"

    The answer is, you may need to re-permission your entire database of EU consumers, especially if you plan to send them marketing communications.

    This may sound daunting, but it can be accomplished by sending an email that asks each user to update their information and confirm their consent for you to use or share their personal data.

    Here's an example of such an email from Litmus:

    Litmus email to confirm consent to stay subscribed

    Although you may lose a few users after implementing this method (those who ignore the email will need to be deleted), it will reduce your liability and the possibility of hefty fines.

  2. If consent is given within a page or interface that contains various elements, such as a registration form, the request for consent should be separate and easily distinguishable from other subject matter using clear and plain language.

    Jimmy Choo separates the marketing consent checkbox from other elements in the registration form, explaining what it means to subscribe:

    Jimmy Choo account registration form with checkboxes for opting in to marketing communications and agreeing to Privacy Policy

    Also note the small asterisks after some of the fields where information is requested that direct users to the checkbox where the Privacy Policy is linked.

    This isn't required, but it's a really nice touch and a helpful way to inform users that they can find information about why specific pieces of personal information are requested if they check out the Privacy Policy.

  3. Users must be provided with and informed of a way to withdraw consent at any time. Withdrawing consent should be as easy a process to complete as the process used to give consent.

    Auchan provides users with instructions on how to access and edit their personal data within the newsletter signup interface:

    Auchan newsletter subscribe form with information about how to access data and unsubscribe

    When people sign up for communications from Age UK, there's a statement letting them know that they can change their minds at any time by emailing the company:

  4. Age UK communications sign-up form with opt-out email address

  5. Consent will not be considered as "freely given" if the consumer is required to provide information that is not necessary to complete a service. In other words, don't collect any information that you do not need in order to provide your services.

Final Points to Keep in Mind

When it comes to the new laws regarding consent under the GDPR, it may be necessary to do an intensive data and consent analysis to make sure your methods and database are compliant.

Remember, not only should your consent request methods be compliant, you must also be prepared to provide a record of valid consent for each EU consumer in your database.

If you're not sure that you can do this, it may be necessary to perform a re-permission campaign.

Once you have all your consent ducks in a row, you can rest assured that your users will feel secure and well-informed, and you'll be able to legally obtain customers from anywhere in the world.

Jaclyn K.

Jaclyn K.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.