Wherever your business is based, there's a good chance you fall under the scope of the EU's GDPR. If so, any consent you get must be clear consent in order to be compliant. To make sure this consent is valid you'll usually need to produce several notices so that users can make informed decisions regarding granting their consent.
Here's what you need to know.
The General Data Protection Regulation (GDPR) took legal effect in 2018. It's a European Union directive and thus has legal force in all European Union countries. There's no need for the countries to explicitly incorporate it into domestic law.
The GDPR enforces a series of rights for individuals about the processing of their personal data. "Processing" covers collection, use, sale and disclosure of data.
Although a European Union measure, the GDPR affects businesses around the world. That's because it covers three elements (the business, the individual and the data processing itself) but applies even if only one of these elements is in a European Union country.
For example, the GDPR would apply in all of these cases:
- An American company processes data about a French customer
- A German company processes data about a Canadian customer
- An Australian company uses a processing centre in Ireland to handle data about a Brazilian customer
Arguably the biggest change the GDPR brought in compared with previous data laws was a requirement to get advance consent before processing data in certain circumstances. It also requires a series of notifications.
The GDPR's requirements mean that you must produce a series of notifications to customers in different situations. Broadly, these notifications must make certain that individuals are aware of the following:
- What data you collect about them
- How and why you use this data
- The right to give or refuse consent to this data processing (and the consequences of doing so)
- How they can access, challenge and correct data you've already collected
To comply with the GDPR you'll need some or all of the following notices to cover your activity.
- Your contact details
- Details of your data protection officer if you have one
- Why you are processing personal data, including which of the six legal bases allowed under the GDPR is applicable
- Whether you'll pass on the personal data to anyone else
- Whether you plan to transfer the data outside of the European Union (and if so, what safeguards will apply)
- How long you'll keep the data (or how you'll decide how long)
- The fact that the user has the right to access the data, correct it, ask for it to be deleted, or get a copy in a form they can take elsewhere
- The fact the user has the right to withdraw consent later on, but that this won't affect the legality of processing that happened before the withdrawal
- The fact the user has the right to complain to the relevant regulatory body in their country
- Whether providing the data is a legal or contractual requirement and what will happen if the data isn't provided
- Whether you use automated decision-making using the data
This example from PERI is compliant with the rules on declaring the legal basis for processing data. However, it could be more user-friendly by explaining what the cited bases are, rather than just referring to the paragraphs in GDPR:
This example from ATPI covers how data is passed on and the relevant safeguards in place:
This example from The Brexit Party Ltd covers the right of the user to complain to a regulatory body, as well as gives the necessary contact details:
This example from Docusign puts the necessary signposting right before the point at which the user clicks the button to submit their data:
Cookie Consent Notices
Even before the GDPR, cookies were covered by a European Union rule known as the ePrivacy Directive. Although it's well worth covering cookies in your GDPR-compliant Privacy Notice, you do need a specific Cookie Consent notice that appears before you issue any cookies.
The key points to cover in this notice are:
- The fact that you use the cookies
- What the cookies do and why you use them
- The fact that you must get user consent
You must get active consent before issuing cookies. As detailed later in this article, this must involve an active, intentional action by the user to confirm consent. You can't use an opt-out system or assume that the user gives consent because they haven't actively objected.
You don't need to get permission or give notice about any cookies that are necessary to carry out the core purpose for which the user has visited the website. The most common example of this is cookies needed to keep goods in a virtual shopping basket.
Here's an example of a cookie consent notice from the EU Parliament that provides clear options to accept, refuse or learn more about cookies:
Create your Cookie Consent
Consent to Email Marketing Notices
You should normally use a dedicated notice when collecting an email address for marketing purposes. Remember that this covers two separate activities under the GDPR's broad "processing" definition:
- Collecting the email address
- Using the email address to send marketing materials
This means you must take account of the following when writing the email marketing notice:
- You must make the user aware they are consenting to you using the address to send the marketing material.
- You must tell the user how they can withdraw consent later on. You should remind them of this at the bottom of any marketing email you send, as well, and provide an unsubscribe mechanism.
The Money Saving Expert site covers these points very concisely within a wider guide to its weekly newsletter:
Not only does the GDPR require prior consent for data processing, but it has a clear and specific definition of consent, namely:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
This definition, along with subsequent court rulings, means some previously common forms of "confirming consent" are no longer valid.
Let's look at the different methods of obtaining consent, which ones you should avoid and which ones are most favorable/recommended.
Some websites use a passive method of getting users' consent to Privacy Policies, cookie placement and more. This often dates back to before the GDPR took effect, particularly in countries with looser rules on data privacy.
The best method for ensuring meaningful consent to a GDPR notice is an active checkbox or similar measure.
The most common method is a notice on screen that displays a statement that the person consents, with an empty checkbox marked "I agree" or "I accept." The user then ticks the checkbox or switches the toggle, then normally clicks a button confirming their choice. This method is known as clickwrap.
It may seem redundant to have this extra step, meaning the user has to take two actions, but it's the best way to get the necessary certainty about the person's consent. The key is that the user:
- Makes a meaningful decision (whether or not to give consent), then
- Confirms that decision
As you would expect given it regulates privacy issues, this example from the Information Commissioner's Office is compliant in both form and function. It distinguishes between necessary cookies (which can be enabled by default) and other cookies (which can't be issued with consent.) It uses a toggle but sets it to "off" by default so a user can make his own choices:
The form has either a checkbox or a toggle that is set to "yes" by default, meaning the user has to actively untick or switch off the indicator to show they do not consent before clicking a button to proceed or dismiss the message.
In 2019 the Court of Justice of the European Union ruled that pre-ticked checkboxes and similar measures are invalid forms of consent because they are implied or assumed. As with browsewrap, this type of clickwrap approach doesn't give conclusive evidence of the user intentionally consenting.
This example from National Geographic Expeditions is compliant as it has a mandatory checkbox that is unchecked by default:
Let's recap the key points about GDPR-compliant notices.
- The GDPR covers your business if either you or a customer/site user are in a European Union country or if you process data in an EU country.
- You must get meaningful consent when obtaining consent.
- You must always display, or clearly link to, the relevant privacy notice at the point when you are about to collect data.
- Consent must be clear, active and unambiguous. You can't infer consent just because somebody continues to use your sites or services after seeing your privacy notice.
- Don't use pre-ticked checkboxes or toggles set to "on" by default as a way to confirm consent. A court ruling means these are no longer valid as they don't offer enough proof of the user's intentions.