Best Practices for GDPR Consent
The United Kingdom’s Information Commissioner’s Office created a booklet in 2017 to assist businesses and other organizations with understanding consent under the GDPR. The 39 page PDF provides a lot of guidance as to how to comply with the law. However, for those looking for a shorter version, there is a two page checklist at the end. We have annotated this list to create our best practices for consent marketing.
Asking for Consent
We have checked that consent is the most appropriate lawful basis for processing.
There are five other legitimate reasons for processing and the ICO suggests that users consider whether there is another appropriate legal justification for processing the data rather than consent. This is because the GDPR sets a high standard for consent. Consent requires the organization provide specific information in order to obtain valid consent, document the consent. It also may not be possible in certain cases, such as between employers and their employees due to the imbalance of power.
We have made the request for consent prominent and separate from our terms and conditions.
We use clear, plain language that is easy to understand.
Transparency is a key principle of the GDPR and an important aspect of informed consent. Article 7(2) of the GDPR requires that consent given in the context of a written declaration concerning multiple matters must use clear and plain language in order to obtain valid consent for processing. The request for consent must also be intelligible, easily accessible and clearly distinguishable from other matters. As such, it must be prominent and not buried in the terms of service.
We ask people to positively opt in.
We don’t use pre-ticked boxes, or any other type of consent by default.
Article 4 defines consent as, in part, an unambiguous indication of the wish by a statement or a clear affirmative action. This for all intents and purposes eliminates silence, opt-out, and pre-ticked opt-in boxes as means of obtaining consent.
We specify why we want the data and what we’re going to do with it.
We have named our organisation and any third parties.
The GDPR requires an individual to be informed in order for their consent to be valid. Article 5 also requires that lawful processing occur in a transparent manner. If the person is not aware of the business that is collecting their information or the third-parties that it will be shared with, then it will often be difficult to demonstrate that the data subject gave informed consent or that the organization is operating transparently within the scope of the consent that they received. Article 13 lists additional information that must be provided when the personal data is obtained, and that includes the identity and contact details of the controller.
We tell individuals they can withdraw their consent.
A statement that the person can withdraw consent at the time that they give consent is required by Article 7. If this statement is not included, then the consent is not valid and may not be relied upon for lawful processing.
We give granular options to consent to independent processing operations.
The GDPR requires consent to be specific. It does not favor pre-packaged bundles without options to be selected from a la cart. Under the GDPR, consent is ultimately about an affirmative exercise of choice and combining consent for independent processing operations decreases the exercise of choice.
We ensure that the individual can refuse to consent without detriment.
We don’t make consent a precondition of a service.
Article 4(11) defines consent to include only a “freely given” indication of the person’s wishes. Article 7(4) further identifies the considerations for ensuring that a choice has been exercised. If there will be negative repercussions to declining to provide the consent, then it cannot be said that it is freely given. In addition, consent is insufficient when opt-in is required to recieve the service but is in fact not a necessary part of the service. In other words, consent is only valid if it is a clear exercise of a choice.
If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
Children are considered vulnerable individuals deserving of special protection under the GDPR, in addition to the standard rights offered to all individuals including kids. Article 8 allows for consent to be given by children under the age of consent only if consent is given by a parent or guardian (“the holder of parental responsibility”). The age of consent is set at 16 years by the GDPR but it can be lowered to as low as 13 years of age by a member state. The controller is required to make “reasonable efforts” to verify that consent is given by the parent or guardian. This is not required if you run a preventative or counselling service.
Learn more about GDPR consent for children.
We keep a record of when and how we got consent from the individual.
We keep a record of exactly what they were told at the time.
Article 7(1) requires that a controller be able to demonstrate consent in order to lawfully process based on consent. If it can not be demonstrated that consent has been given, then processing the personal data is not lawful (unless another exemption applies). Because an individual must be informed in order to give valid consent, told about the right to withdraw consent, through the use of clear and plain language, there must also be a record of the information given to the person at the time of consent.
We regularly review consents to check that the relationship, the processing and the purposes have not changed.
We have processes in place to refresh consent at appropriate intervals, including any parental consents.
There is no specified time limit on the length of a valid consent under GDPR. However, refreshing consent may be required in order to use the personal data for a purpose other than what was explicitly specified when consent for processing was originally obtained. Additionally, a change in the relationship between the parties may ultimately be interepreted to change whether the consent remains freely given. For example, an individual may have consented to the processing of personal data while working at a third-party but now be afraid to withdraw that consent if they have obtained a new job at the controller of their data.
We consider using privacy dashboards or other preference management tools as a matter of good practice.
Although the rules do not explicitly require automated processes as suggested by a privacy dashboard or preference management, they are in practice an invaluable tool in order to ensure that the right information is provided to consumers, their preferences are tracked and honored, they have the ability to easily withdraw their consent, and consent is sufficiently documented to enable lawful processing. Since the rules require that it be as easy to consent as it is to withdraw, a preference management tool can be an easy way to offer both subscriptions and withdrawals in the same software platform.
We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
Article 7 requires that it be as easy to withdraw consent as it is to give consent. As interpreted, this means that it should be through the same platform and a similar manner. For example, if you swipe the screen in an app on your phone in order to indicate consent, you should also be able to swipe the screen in order to withdraw consent. The method of withdrawal must be publicised so that individuals have the information necessary to exercise their right to withdraw consent.
The consent withdrawal must be honored. The Article 29 Working Party has also warned that controllers which initially obtain consent cannot migrate to another lawful basis if the data subject withdraws consent.
We act on withdrawals of consent as soon as we can.
As individuals have the right to withdraw consent at any time, there should be minimal delay between exercise of the right and the elimination of further processing. Consent is only valid to ensure lawful processing before the withdrawal. Article 12 further outlines the timeline for the exercise of rights in Articles 15-22 as without undue delay, so this may ultimately become the same standard for ending consent.
We don’t penalise individuals who wish to withdraw consent.
The Individual Commissioner’s draft guidance discusses GDPR consent as an ongoing and actively managed choice rather than a compliance box to check and then file away. Under this interpretation of the law, it makes sense that consent which was originally given freely is no longer valid because the individual will be penalised. It could also be said that it is not as easy to withdraw as it is to subscribe if an individual is given a choice to consent but additional penalties are hurdled on an individual that decides to exercise their right to withdraw their consent.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent