In this article we guide you through the most important characteristics of consent under GDPR. We also talk about GDPR consent manager – a useful tool that helps you collect, manage, and store all the relevant data in alignment with the new EU law.
New rules around consent can lead to a lot of sleepless nights. However, it must be remembered that the new Regulation was created for a reason – to protect users’ privacy and to help restore trust and transparency of activities between ordinary people and the entities which process their data.
Studies show that there’s a lot of work to be done.
The 2017 State of Consumer Privacy and Trust survey conducted by Gigya found that 68% of respondents don’t trust brands to handle their personal information appropriately.
A telling result, right?
Now it’s about to change.
Ok, but what exactly is going to change?
As you surely know, GDPR introduces some major shifts in many aspects of processing users’ data.
The new law also makes significant changes in the definition of consent. Here’s a comparison of the new definition of consent and the one from 1995.
EU Directive 95-46-EC:
Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
As you can see, GDPR introduces a new clause, as consent now must be unambiguous and involve a clear affirmative action.
A Practical Guide to Acquiring Consent in the Age of GDPR
Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliantDownload FREE Guide
What it really means
It’s enough to say that the definition of consent is rather general and doesn’t provide you with actionable tips for your compliance strategy. But don’t be afraid! Fortunately, there are many documents and guidelines interpreting the provisions of GDPR.
Consent as understood by Article 29 Working Party
One of the most important (and helpful!) of these guidelines is the one prepared by Article 29 Working Party. Their “Guidelines on Consent under Regulation 2016/679” contain an overview of the elements of valid consent under Article 4(11) of GDPR (freely given, specific, informed, and unambiguously indicated).
Here you can find what Article 29 Working Party has to say about the particular adjectives used in the definition:
This point is particularly helpful, because it makes it easier to determine whether visitors of your website can freely decide if they want you to process their data. Unfortunately, this won’t be the case with data controllers who are public authorities and employers – the balance of power is skewed and there is a risk that users’ consents will not be fully voluntary.
Such an organization should use one of the five other lawful processing means (yes, there’s five more of them).
Also, it’s important to emphasize that consent should never be a prior condition for using your site or taking advantage of your services. For instance, it can’t be included in the terms and conditions of a website. This prevents the user from having a free choice when making decisions regarding consent.
Important tip: If you can’t provide your users with a genuinely free choice regarding the processing of their data, consent is not the best legal grounds for you to choose. In this scenario, you should seek other ways to justify your right to process users’ personal data.
- Purpose specification as a safeguard against function creep,
- Granularity in consent requests, and
- Clear separation of information related to obtaining consent for data processing activities from information about other matters.
As you can see, the Article 29 Working Party guidelines advise you to indicate every possible purpose for using user data. That way, you’ll make sure they give you specific consent for processing their data in a particular way.
In practice, this means you’ll need a separate consent for every use of personal data. For example: one for content personalization activities and another for remarketing campaigns; one for using first-party cookies and another for third-party cookies. All these should be listed in the consent box displayed to users when they visit your page for the first time.
However, it’s likely that not every purpose for using personal data will require direct user consent.
Some experts predict that the Regulation on Privacy and Electronic Communications (also known as ePrivacy) in its current (and still not final) form will exclude from this list, among other things, cookies used exclusively for analytics purposes.
Unfortunately, we still have to wait to see how everything unfolds when the regulation assumes its final form. Until then, it’s safe to assume that using web analytics trackers will also require consent.
Important tip: Make sure that your cookie consent box lists every purpose you have for using personal data. Otherwise, you can’t say that your users’ consents were specific.
The most important thing in this case is the fact that you must clearly explain to people what they are signing up for. Individuals should be informed that they are consenting to the processing of their personal data. Additionally, they should be aware of their rights concerning the given consent, like the right to withdraw it, the right to correct their data, and other rights.
Also, the request for consent needs to be:
- easy to understand,
- separate from other terms and conditions, and
- presented in plain language.
If your consent request doesn’t meet this requirements (in other words, it’s vague, difficult to understand, or not separate from other matters) it will be considered invalid.
As you can see, the word unambiguous suggests that there should be no doubt that the data subject has agreed to the data processing. Later in the guidelines the WP29 provides more information on the range of possible mechanisms by which data subjects can take a clear affirmative action. It includes:
- ticking a box,
- swiping on a screen,
- waving in front of a smart camera,
- turning a smartphone around clockwise or in a figure-eight motion.
It means that the consent is considered valid only when the data subject had to take action in order to agree to your request. Pre-clicked boxes are no longer an option.
A helpful guide to GDPR Consent Manager
We hope that all these requirements haven’t scared you too much. Of course, the new demands change many things in the way you deal with data, but there are a ranges of solutions and possible scenarios to ensure compliance with the new law.
That’s why we decided to put together an exhaustive guide on collecting user consents under GDPR. We’ve titled it A Practical Guide to Acquiring Consent in the Age of GDPR, and it will:
- describe more characteristics of proper GDPR consent,
- present you with actionable tips on consent prepared by the Information Commissioner’s Office and the Article 29 Working Party,
- show you some practical examples of GDPR-compliant consent requests,
- discuss five more legal grounds for processing user data,
- detail the most important principles of storing user consents,
- and much more!
What’s more, we’ll present the most important advantages of GDPR Consent Manager – a tool designed to collect, manage, and store user consents.
Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant.
Download FREE Guide