Legal writer at TermsFeed.
On this page
- 1. Basics of the GDPR
- 2. Who Does the GDPR Apply to?
- 3. The GDPR's Definition of Valid Consent
- 3.1. The Old Ways of Obtaining Consent
- 3.2. How NOT to Obtain Consent
- 4. How to Get GDPR-Compliant Consent
- 4.1. Update Your Opt-In Mechanism
- 4.3. Get Consent for Cookies
- 4.4. Get Consent for Marketing Communications
- 4.5. Update Your Policies to Remove Browsewrap
- 4.6. Inform Users How to Withdraw Consent
- 5. Final Points to Keep in Mind
Consent under the GDPR are quite specific and strict, requiring it to be clearly given in an overt and active way.
This article will take a look at exactly what the GDPR requires when it comes to consent, and what you can do to make sure your methods of obtaining consent are compliant if they aren't already.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA and other privacy laws:
- For GDPR, CCPA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
Basics of the GDPR
Although it would take an entire e-book to explain the full intricacies of the GDPR , here is a simplified list of its key guidelines:
- If you rely on consent as your legal basis for collecting personal data, you must obtain and record the express consent of each user before collecting any data.
- GDPR-compliant Privacy Policies must be easy to understand and easy to access.
- Personal data that you collect must be accessible to users for their viewing, editing, or deleting. (In other words, you must facilitate user rights granted by the GDPR.)
- Privacy and data security should be infused into general business practices by default (Privacy by Design).
Who Does the GDPR Apply to?
Almost all online businesses across the world will be affected by the GDPR. Any company that collects personal information from residents of the EU will be required to comply.
According to the GDPR's definition of personal data, if your website or mobile app has collected or will collect so much as an IP address from an EU resident, then you will be required to process that data in compliance with GDPR regulations.
Here's how the GDPR defines "personal information" in Article 4:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
The GDPR's Definition of Valid Consent
The GDPR is extremely specific when it comes to defining valid consent:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Let's dissect this statement.
There are four different prerequisites that must be met for consent to be considered valid:
- Freely-given: This means that the user is given a clear choice on whether to provide personal data or not. Simply navigating or using an online service does not imply consent.
- Specific: Visitors must agree specifically to each use of their information, such as sharing for analytics or marketing purposes.
- Informed and unambiguous: Inform users of each type of information you collect and how it is used. Consent must be straightforward and intelligible after users have been informed.
- Clear affirmative action: A clear, affirmative action is any action that proves consent, whether it be the tick of a checkbox or the click of a button.
This specific and detailed definition of consent is designed to eradicate previously vague or implied methods of obtaining consent, ensuring that all users are fully aware of how their information is collected and used, as well as the choices they have regarding their own privacy.
Now that advertising cookies and user tracking are commonplace, it is understandable that consumers and their elected lawmakers wish to exert more control over personal information.
The Old Ways of Obtaining Consent
It is important to differentiate between the new methods of obtaining consent under the GDPR versus the common "implied consent" that is still in widespread use today. One way to understand this is to note the difference between browsewrap and clickwrap agreements.
These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.
Remember: A clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.
How NOT to Obtain Consent
Here are a few visual examples of common practices that WILL NOT be considered valid consent under the GDPR regulation:
The terminology in the old Novartis example above is a great example of what not to do, and is the very definition of implied consent. Businesses may no longer assume consent is given simply because a visitor browses or uses an online service.
Consent here is implied by the browsewrap statement "By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy."
This is not compliant with GDPR policy.
2. Do not post a cookie consent notice that looks like this:
3. Do not pre-tick checkboxes or assume automatic consent for marketing communications when a visitor registers for your service:
The checkboxes for marketing communications from Apple's registration form are already pre-ticked when the user accesses the form, forcing them to untick the box in order to opt-out of communication. This is not unambiguous or freely-given consent under the GDPR.
Here's a different example from Etsy:
This form does not even give the consumer the option to opt out, simply assuming their consent to receive marketing communications. This will not fly under the GDPR.
How to Get GDPR-Compliant Consent
The Information Commissioner's Office in the UK provides a useful and detailed overview of consent in a GDPR world. From this advice, we've come up with a checklist for creating meaningful consent that complies with the GDPR:
- Update your opt-in mechanism
- Add new consent for cookies
- Update your policies to remove browsewrap
- Inform users how to withdraw consent
Update Your Opt-In Mechanism
Consent requires an active, positive opt-in to your data policy. The first time someone navigates to your site for the first time or after a serious policy change, consent needs to be obtained. Give them a box to manually check or an "Agree" button to click.
If you're adding in multiple options like allowing them to agree to your Terms and Conditions in one clause and your Privacy Notice separately, then both must include the same prominence.
Here's an example of how to obtain GDPR-compliant consent for legal agreements, and separately to send marketing communications:
Always make your policies and agreements easily accessible, especially at the moment you're asking for consent.
Here's an example from Lancome:
Get Consent for Cookies
Under the GDPR, only cookies that are required for the functionality of the website - and do not identify users - may be placed without consent. However, users should still be informed of the presence of these cookies within the cookies notice.
A common way of creating cookie consent is notifying users with a pop-up banner the first time the person visits the website. The notice can be customized for your site, and each one is a bit different, but at a minimum it should have a way for users to accept cookies, reject them, or customize their consent further.
Remember, it must be as easy to reject cookies as it is to accept them.
GOV.UK includes a short notice about what it's trying to do with cookies, as well as an accept and reject option, and an option to view specific cookies:
Here's how Credit Agricole does it similarly while also offering a "Cookies Management" option for more customized consent and rejection:
Bain and Company prominently links to its Privacy and Cookie Policies, and includes a short summary of each type of cookie it uses. Users are then able to select whether they want to allow all cookies, or only the ones that are absolutely required for the website to work properly:
Get Consent for Marketing Communications
Request that your users take a clear, affirmative action to consent to marketing communications.
The checkbox is the simplest method, as shown below by Age UK.
The GDPR strongly recommends that users are given more choices, options and relevant information whenever personal information is requested, which Age UK also does nicely.
This also helps your business, as when given the opportunity to choose between email, telephone, text, or not at all, more people opt-in to some type of marketing communications over a total opt-out.
Update Your Policies to Remove Browsewrap
Browsewrap practices no longer count as consent under the GDPR. This means that if you previously used that method of obtaining consent and must comply with the GDPR, it's time to update your agreements and policies to remove this language.
Inform Users How to Withdraw Consent
Consent is no longer an action but a process. European users now have the right to provide and withdraw consent when they choose without impacting their service.
Your responsibility is to inform users how to withdraw consent. It must be as easy to opt out as it is to opt in, and you can't punish users for choosing to opt out.
When users sign up for something, you can let them know at that time that they can opt out at any time, like in this subscribe form from WebMD:
You can also utilize forms and interfaces to make it more convenient, easy and streamlined for users to make adjustments, such one like this:
Here's a quick, basic but effective example from Century 21 did just that:
To deal with privacy concerns, users can send an email, a letter, or call the company.
Final Points to Keep in Mind
When it comes to the laws regarding consent under the GDPR, it may be necessary to do an intensive data and consent analysis to make sure your methods and database are compliant.
Remember, not only should your consent request methods be compliant, you must also be prepared to provide a record of valid consent for each EU consumer in your database.
If you're not sure that you can do this, it may be necessary to perform a re-permission campaign.
Once you have all your consent ducks in a row, you can rest assured that your users will feel secure and well-informed, and you'll be able to legally obtain customers from anywhere in the world.