To comply with GDPR, you must collect consent based on one of the six legal bases outlined in the regulations. Collecting individual consent directly from your customer is one example.
However, a one size fits all approach to consent collection will hurt your marketing efforts before you start.
In today’s blog we will take a closer look at consent under GDPR, review the clear conditions for valid consent and highlight examples of valid and invalid consent collection.
Consent under GDPR
GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
From this definition, we can see that there are several conditions consent must meet to be considered valid.
- Freely Given: People must have a genuine choice & control over how you use their data. They must be able to refuse consent without detriment and must be able to withdraw consent at any time.
- Specific: Consent should not be bundled with other terms and conditions or as a service condition.
- Informed: Consent must cover the following:
- The Controller’s identity
- The purposes of the processing
- The processing activities
- The right to withdraw consent at any time
- Unambiguous indication: The person’s statement or affirmative action must leave no doubt as to their intention to give consent. If there is room for doubt, it is not valid consent.
How long does consent last? There is no specific timeframe for this, but consent will likely degrade over time. Often if your processing activities evolve, you will need to seek fresh consent.
Examples of valid and invalid consent collection practices
Invalid consent collection:
The above consent form does not fulfil any of the conditions required for valid consent under GDPR. Consent has not been freely given as the user has no option but to consent to register for a free account.
It is not informed or specific about how they will use the personal data. There is also no link to a Privacy Policy for more information.
While clicking the submit button is an affirmative action, it’s unclear if the user clicked to confirm consent or simply because they want to register for an account. This is considered an ambiguous indication.
Valid consent collection:
This consent collection fulfils the requirements for valid consent under GDPR. It is freely given as the user can submit the form without checkout the consent box. It is specific and informed as the user is told up front what specific processing activity their personal data will be used for.
There is also a link to the Privacy Policy for more information. Finally, the individual must take an affirmative action (tick the box) to unambiguously indicate their consent.
Common examples of invalid consent collection and how you can make them compliant
Hidden in Privacy policy
The above is not valid consent. The individual is not informed about the specific purposes they consent to their data being processed for.
This consent is also not freely given as the individual has no option but to consent if they want to register for an account.
They are also not informed of their right to withdraw consent. Although clicking the submit button is an affirmative action, it’s unclear if they have clicked the button because they consent or want to register for an account.
How to make it compliant:
Grouped
Initially, this example might seem like valid consent. The user is informed about the data processing purposes, there is a link to the privacy policy, they have to take an affirmative action (tick the box), and they can register for an account without consenting.
However, the consent is not specific or freely given. The consent is grouped or bundled. The individual has no option but to consent to two types of processing (direct marketing and sharing data with affiliates or third parties for direct marketing purposes).
For this to be valid consent, there should be two separate checkboxes, one for each type of processing the individual is being asked to consent to. There should also be more information about the affiliates.
How to make it compliant:
Make sure you separate your requests so your users know what they are consenting to, and you know exactly what you can do with that data. It’s a win-win.
Pre-ticked
Again, this example might seem like valid consent. The individual is informed about the purpose of the processing, there is a link to the privacy policy for more information, they can give specific consent for each communication channel, and they can register for an account without consenting.
However, clicking submit on this form is not an unambiguous indication of consent. Because the checkboxes are pre-ticked, it is unclear if the individual has read all the text and understands that they have consented or if they just meant to submit the form.
For this to be valid consent, the checkboxes should be unticked so that the individual can take clear affirmative actions that they consent.
How to make it compliant:
Consent Collection Takeaways
From the above examples it is clear that it is important to ensure your consent collection is:
- Freely given – not a condition of anything else
- Specific – do not group consent
- Informed – purpose for processing and right to withdraw consent explained up front and a link to the Privacy policy for more information
- Unambiguous indication – make sure it is opt-in – the individual has to take an affirmative action to show they consent
