Last updated on 01 July 2022 by Jaclyn Kilani (Legal writer at TermsFeed)
One of the biggest changes that the GDPR brought about is how businesses obtain valid consent to collect and use personal information from EU citizens.
Before the GDPR, there were a variety of ways that consent could be obtained.
The GDPR changed that and made consent requirements far more specific and strict.
This article will take a look at exactly how the GDPR affected consent, and what you can do to make sure your methods of obtaining consent are compliant if they aren't already.
Unless your business is located under a very large rock, you are aware of the GDPR - the sweeping privacy regulation that went live on May 25, 2018.
Although it would take an entire e-book to explain the full intricacies of the GDPR , here is a simplified list of its key guidelines:
Almost all online businesses across the world will be affected by the GDPR. Any company that collects personal information from residents of the EU will be required to comply.
According to the GDPR's definition of personal data, if your website or mobile app has collected or will collect so much as an IP address from an EU resident, then you will be required to process that data in compliance with GDPR regulations.
Here's how the GDPR defines "personal information" in Article 4:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Gone are the days of pre-ticked checkboxes and implied consent. The GDPR is extremely specific when it comes to defining valid consent:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Let's dissect this statement.
There are four different prerequisites that must be met for consent to be considered valid:
This specific and detailed definition of consent is designed to eradicate previously vague or implied methods of obtaining consent, ensuring that all users are fully aware of how their information is collected and used, as well as the choices they have regarding their own privacy.
Now that advertising cookies and user tracking are commonplace, it is understandable that consumers and their elected lawmakers wish to exert more control over personal information.
It is important to differentiate between the new methods of obtaining consent under the GDPR versus the common "implied consent" that is still in widespread use today.
One way to understand this is to note the difference between browsewrap and clickwrap agreements.
These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.
Remember: A clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.
They say a picture is worth a thousand words, so here are a few visual examples of common practices that WILL NOT be considered valid consent under the GDPR regulation:
The terminology in the old Novartis example above is a great example of what not to do, and is the very definition of implied consent. Businesses may no longer assume consent is given simply because a visitor browses or uses an online service.
Consent here is implied by the browsewrap statement "By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy."
This is not compliant with GDPR policy.
2. Do not post a cookie consent notice that looks like this:
3. Do not pre-tick checkboxes or assume automatic consent for marketing communications when a visitor registers for your service:
The checkboxes for marketing communications from Apple's registration form are already pre-ticked when the user accesses the form, forcing them to untick the box in order to opt-out of communication. This is not unambiguous or freely-given consent under the GDPR.
Here's a different example from Etsy:
This form does not even give the consumer the option to opt out, simply assuming their consent to receive marketing communications. This will not fly under the GDPR.
The Information Commissioner's Office in the UK provides a useful and detailed overview of consent in a GDPR world. From this advice, we've come up with a checklist for creating meaningful consent that complies with the GDPR:
Consent requires an active, positive opt-in to your data policy.
The first time someone navigates to your site for the first time or after a serious policy change, consent needs to be obtained. Give them a box to manually check or an "Agree" button to click.
If you're adding in multiple options like allowing them to agree to your Terms and Conditions in one clause and your Privacy Notice separately, then both must include the same prominence.
Here's an example of how to obtain GDPR-compliant consent for legal agreements, and separately to send marketing communications:
Consent doesn't just mean securing affirmative consent. It also requires you to make it easier for people to understand what their consent means.
Always make your policies and agreements easily accessible, especially at the moment you're asking for consent.
Here's an example from Lancome:
Cookies aren't a big focus of the GDPR, but they are mentioned explicitly. Cookies are now personal data when they can be used to identify a person.
Under the GDPR, only cookies that are required for the functionality of the website - and do not identify users - may be placed without consent. However, users should still be informed of the presence of these cookies within the cookies notice.
A common way of creating cookie consent is notifying users with a pop-up banner the first time the person visits the website. The notice can be customized for your site, and each one is a bit different, but at a minimum it should have a way for users to accept cookies, reject them, or customize their consent further.
Remember, it must be as easy to reject cookies as it is to accept them.
GOV.UK includes a short notice about what it's trying to do with cookies, as well as an accept and reject option, and an option to view specific cookies:
Here's how Credit Agricole does it similarly while also offering a "Cookies Management" option for more customized consent and rejection:
Bain and Company prominently links to its Privacy and Cookie Policies, and includes a short summary of each type of cookie it uses. Users are then able to select whether they want to allow all cookies, or only the ones that are absolutely required for the website to work properly:
Request that your users take a clear, affirmative action to consent to marketing communications.
The checkbox is the simplest method, as shown below by Age UK.
The GDPR strongly recommends that users are given more choices, options and relevant information whenever personal information is requested, which Age UK also does nicely.
This also helps your business, as when given the opportunity to choose between email, telephone, text, or not at all, more people opt-in to some type of marketing communications over a total opt-out.
As previously mentioned, browsewrap practices no longer count as consent under the GDPR. This means that if you previously used that method of obtaining consent and must comply with the GDPR, it's time to update your agreements and policies to remove this language.
Consent is no longer an action but a process. European users now have the right to provide and withdraw consent when they choose without impacting their service.
Your responsibility is to inform users how to withdraw consent. It must be as easy to opt out as it is to opt in, and you can't punish users for choosing to opt out.
When users sign up for something, you can let them know at that time that they can opt out at any time, like in this subscribe form from WebMD:
You can also utilize forms and interfaces to make it more convenient, easy and streamlined for users to make adjustments, such one like this:
Here's a quick, basic but effective example from Century 21 did just that:
To deal with privacy concerns, users can send an email, a letter, or call the company.
When it comes to the laws regarding consent under the GDPR, it may be necessary to do an intensive data and consent analysis to make sure your methods and database are compliant.
Remember, not only should your consent request methods be compliant, you must also be prepared to provide a record of valid consent for each EU consumer in your database.
If you're not sure that you can do this, it may be necessary to perform a re-permission campaign.
Once you have all your consent ducks in a row, you can rest assured that your users will feel secure and well-informed, and you'll be able to legally obtain customers from anywhere in the world.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022