Consent Under the GDPR

Last updated on 01 July 2022 by Jaclyn Kilani (Legal writer at TermsFeed)

Consent Under the GDPR

One of the biggest changes that the GDPR brought about is how businesses obtain valid consent to collect and use personal information from EU citizens.

Before the GDPR, there were a variety of ways that consent could be obtained.

The GDPR changed that and made consent requirements far more specific and strict.

This article will take a look at exactly how the GDPR affected consent, and what you can do to make sure your methods of obtaining consent are compliant if they aren't already.



Who Does the GDPR Apply to?

Unless your business is located under a very large rock, you are aware of the GDPR - the sweeping privacy regulation that went live on May 25, 2018.

Although it would take an entire e-book to explain the full intricacies of the GDPR , here is a simplified list of its key guidelines:

Almost all online businesses across the world will be affected by the GDPR. Any company that collects personal information from residents of the EU will be required to comply.

According to the GDPR's definition of personal data, if your website or mobile app has collected or will collect so much as an IP address from an EU resident, then you will be required to process that data in compliance with GDPR regulations.

Here's how the GDPR defines "personal information" in Article 4:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

The GDPR's Definition of Valid Consent

Gone are the days of pre-ticked checkboxes and implied consent. The GDPR is extremely specific when it comes to defining valid consent:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Let's dissect this statement.

There are four different prerequisites that must be met for consent to be considered valid:

  • Freely-given: This means that the user is given a clear choice on whether to provide personal data or not. Simply navigating or using an online service does not imply consent.
  • Specific: Visitors must agree specifically to each use of their information, such as sharing for analytics or marketing purposes.
  • Informed and unambiguous: Inform users of each type of information you collect and how it is used. Consent must be straightforward and intelligible after users have been informed.
  • Clear affirmative action: A clear, affirmative action is any action that proves consent, whether it be the tick of a checkbox or the click of a button.

This specific and detailed definition of consent is designed to eradicate previously vague or implied methods of obtaining consent, ensuring that all users are fully aware of how their information is collected and used, as well as the choices they have regarding their own privacy.

Now that advertising cookies and user tracking are commonplace, it is understandable that consumers and their elected lawmakers wish to exert more control over personal information.

It is important to differentiate between the new methods of obtaining consent under the GDPR versus the common "implied consent" that is still in widespread use today.

One way to understand this is to note the difference between browsewrap and clickwrap agreements.

A browsewrap agreement takes place when a website or mobile app posts links to their Privacy Policy throughout the platform and so it is assumed that since users have ample opportunity to read the Privacy Policy, they must consent to everything it contains by default.

Here's an example of how Novartis used to inform users that browsing its website was an automatic agreement to Privacy Policy terms. Note the text in all caps. This is a browsewrap agreement:

Novartis Privacy Policy: Intro clause

By contrast, a clickwrap agreement takes place when a user is provided with a link to the Privacy Policy or other terms and must manually click to accept those terms before using the online service.

In the following image, a user must click a statement that says "I Agree" to show that they agree to a Privacy Policy and Terms during the registration process. This is a clickwrap agreement:

Slack's Review the Terms consent box with "I Agree" - clickwrap

These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.

Remember: A clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.

They say a picture is worth a thousand words, so here are a few visual examples of common practices that WILL NOT be considered valid consent under the GDPR regulation:

1. Do not assume you get valid user consent because you include a paragraph in your Privacy Policy or Terms that says using your site or app means users consent.

The terminology in the old Novartis example above is a great example of what not to do, and is the very definition of implied consent. Businesses may no longer assume consent is given simply because a visitor browses or uses an online service.

The same goes for the use of cookies or for getting consent to a Cookies Policy:

J.P. Morgan Cookie Policy: Important Notice Intro clause using browsewrap

Consent here is implied by the browsewrap statement "By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy."

This is not compliant with GDPR policy.

2. Do not post a cookie consent notice that looks like this:

Novartis cookies pop-up notice using browsewrap for consent

Again, any terminology that states "By continuing to browse the site you are agreeing to accept" anything will no longer be considered compliant. The user must be informed about the site's use of cookies, etc., and take a clear, affirmative action to consent to that usage of their personal data.

3. Do not pre-tick checkboxes or assume automatic consent for marketing communications when a visitor registers for your service:

Apple's Create Apple ID form showing checkboxes pre-ticked: Not GDPR-compliant

The checkboxes for marketing communications from Apple's registration form are already pre-ticked when the user accesses the form, forcing them to untick the box in order to opt-out of communication. This is not unambiguous or freely-given consent under the GDPR.

Here's a different example from Etsy:

Etsy Register Account form with browsewrap section highlighted

This form does not even give the consumer the option to opt out, simply assuming their consent to receive marketing communications. This will not fly under the GDPR.

How to Get GDPR-Compliant Consent

The Information Commissioner's Office in the UK provides a useful and detailed overview of consent in a GDPR world. From this advice, we've come up with a checklist for creating meaningful consent that complies with the GDPR:

  • Update your opt-in mechanism
  • Keep users informed by directing them to your Privacy Policy
  • Add new consent for cookies
  • Update your policies to remove browsewrap
  • Inform users how to withdraw consent

Update Your Opt-In Mechanism

Consent requires an active, positive opt-in to your data policy.

The first time someone navigates to your site for the first time or after a serious policy change, consent needs to be obtained. Give them a box to manually check or an "Agree" button to click.

If you're adding in multiple options like allowing them to agree to your Terms and Conditions in one clause and your Privacy Notice separately, then both must include the same prominence.

Here's an example of how to obtain GDPR-compliant consent for legal agreements, and separately to send marketing communications:

Adobe ID Sign-up form with checkboxes for clickwrap consent for Terms of Use, Privacy Policy and email

Keep Users Informed: Direct them to Your Privacy Policy

Consent doesn't just mean securing affirmative consent. It also requires you to make it easier for people to understand what their consent means.

While most of us don't review a site's Privacy Policy before we browse, the EU wants you to put your Privacy Policy right under visitors' noses. It also wants those policies to be easy to read and understand. No legalese allowed. No tiny fonts. No never-ending paragraphs.

Your Privacy Policy will describe all of the ways that you obtain and use the personal data of your users. Give your users multiple opportunities to access and read the Policy Policy and request consent before they use your services.

In the last example above, note how the Privacy Policy is linked to the notice where consent is requested. Users can easily access the policy for more information.

Always make your policies and agreements easily accessible, especially at the moment you're asking for consent.

The golden rule here is two-part. First, always place a link to your Privacy Policy or Terms agreement in your website footer, like this from Sunday Business Post:

Always request explicit, clickwrap consent for your Privacy Policy or Terms anywhere where you collect personal information, such as in an account sign-up form, an email subscription form, a contact form or when a customer enters financial information to make a purchase.

Here's an example from Lancome:

Lancome contact form with consent checkbox and CA Privacy Policy links highlighted

Cookies aren't a big focus of the GDPR, but they are mentioned explicitly. Cookies are now personal data when they can be used to identify a person.

Under the GDPR, only cookies that are required for the functionality of the website - and do not identify users - may be placed without consent. However, users should still be informed of the presence of these cookies within the cookies notice.

A common way of creating cookie consent is notifying users with a pop-up banner the first time the person visits the website. The notice can be customized for your site, and each one is a bit different, but at a minimum it should have a way for users to accept cookies, reject them, or customize their consent further.

Remember, it must be as easy to reject cookies as it is to accept them.

GOV.UK includes a short notice about what it's trying to do with cookies, as well as an accept and reject option, and an option to view specific cookies:

Gov UK cookie consent banner with Accept and Reject buttons

Here's how Credit Agricole does it similarly while also offering a "Cookies Management" option for more customized consent and rejection:

Credit Agricole homepage with cookie consent notice highlighted

Bain and Company prominently links to its Privacy and Cookie Policies, and includes a short summary of each type of cookie it uses. Users are then able to select whether they want to allow all cookies, or only the ones that are absolutely required for the website to work properly:

Bain and Company cookie consent notice

Request that your users take a clear, affirmative action to consent to marketing communications.

The checkbox is the simplest method, as shown below by Age UK.

Age UK communications sign-up form with opt-out email address

The GDPR strongly recommends that users are given more choices, options and relevant information whenever personal information is requested, which Age UK also does nicely.

This also helps your business, as when given the opportunity to choose between email, telephone, text, or not at all, more people opt-in to some type of marketing communications over a total opt-out.

Turn2Us account register form with communications opt-in checkboxes highlighted

Update Your Policies to Remove Browsewrap

As previously mentioned, browsewrap practices no longer count as consent under the GDPR. This means that if you previously used that method of obtaining consent and must comply with the GDPR, it's time to update your agreements and policies to remove this language.

Consent is no longer an action but a process. European users now have the right to provide and withdraw consent when they choose without impacting their service.

Your responsibility is to inform users how to withdraw consent. It must be as easy to opt out as it is to opt in, and you can't punish users for choosing to opt out.

When users sign up for something, you can let them know at that time that they can opt out at any time, like in this subscribe form from WebMD:

WebMD newsletter sign-up form with opt-out highlighted

You can include instructions in your Privacy Policy and/or Terms and Conditions for how to opt out or adjust consent preferences, like so:

H and M Privacy Notice: How to withdraw your cookie consent clause

You can also utilize forms and interfaces to make it more convenient, easy and streamlined for users to make adjustments, such one like this:

GDPR user rights form with opt-out highlighted

The more traditional method of allowing users to opt out or withdraw consent involves adding contact details to your Privacy Policy.

Here's a quick, basic but effective example from Century 21 did just that:

Century21 Privacy Notice: Contact Us clause

To deal with privacy concerns, users can send an email, a letter, or call the company.

Final Points to Keep in Mind

When it comes to the laws regarding consent under the GDPR, it may be necessary to do an intensive data and consent analysis to make sure your methods and database are compliant.

Remember, not only should your consent request methods be compliant, you must also be prepared to provide a record of valid consent for each EU consumer in your database.

If you're not sure that you can do this, it may be necessary to perform a re-permission campaign.

Once you have all your consent ducks in a row, you can rest assured that your users will feel secure and well-informed, and you'll be able to legally obtain customers from anywhere in the world.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Jaclyn Kilani

Jaclyn Kilani

Legal writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.