Defining a Winning GDPR Strategy Part 4: GDPR Compliant Consent Design
- Sagara Gunathunga
- Head of IAM DevRel - WSO2
About this series
This 4 part series aims to provide comprehensive insights on GDPR and practical guidelines for business organizations to plan, define, and execute a successful GDPR compliance strategy.
Read Part 1 - Introduction to GDPR
Read Part 2 - 7 Steps for GDPR Compliance
Read Part 3 - Identity and Access Management to the Rescue
Definition of Consent
A personal definition of consent is the permission for something to happen or agreement to do something. However, consent, as defined by GDPR, is much clearer and broader. Below is the GDPR definition of consent:
“Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In order to understand the above definition, let’s analyze each term separately for its purpose and exact meaning in simple English.
- Freely given - This helps us decide whether we can use consent to legitimize data processing or not. To use consent, the processing organization should be in a position to offer individuals the freedom to choose when and how their data is processed. For example, in most cases, public authorities cannot give consent freely and an employer cannot always provide free choice for employees. Consent should not be used in such cases. Instead, organizations can use the five remaining lawful processing means that are discussed in Part 1 of this series.
- Specific - Consent needs to be specific about the intended purpose, the underlying processing approach, what kind of data is processed, and how long the data will be kept with the business. Generic consent cannot be obtained from individuals. For example, when collecting an email address or a personal phone number within a conference registration form, it should provide details of the intended purpose of the details collected. Intended purpose in this instance is to facilitate the communication of registration confirmation, conference entry ticket details, agenda, and location.
- Informed - An individual should be informed that he/she is consenting to process his/her personal data. Additionally, the individuals should be aware of their rights such as the right to withdraw consent at anytime. Furthermore, organizations should ensure that language, images, graphics, etc. used while requesting for consent are well understood by the individuals. It is not legitimate to acquire consent by misleading individuals or through hidden information.
- Unambiguous - The requester is expected to be unambiguous when obtaining consent from the target audience. Simple language, with appropriate graphics and images, have to be used to distinguish content about consent from others. Basically, in order to gain legitimate consent, the consented individual should know that he or she is giving consent to process personal data.
Implicit Consent vs Explicit Consent
In GDPR, consent can be implicit or explicit. There are specific cases where each of these consent types can be used. First, let’s try to understand what are the exact differences between these two concepts using some common examples.
Example 1 - When ordering something for dinner over the phone, you are expected to give some personal information so that the particular restaurant can verify your authenticity, charge you for the order, and deliver them to your doorstep.
Example 2 - When visiting a phone service center to repair your mobile phone, you provide your email address and/or phone number to them, so that they can contact you once the phone is repaired or if they need further instructions from you.
In both of these examples, you are not explicitly signing or marking a document stating “I agree to the processing of my personal data by this person/organization for the purposes of A, B, C.” However both the restaurant and phone service center have your consent for personal data processing and the purpose is not ambiguous to you. This is known as “implied consent”, or more accurately “unambiguous and implied consent.”
“Explicit consent” requires individuals to provide their consent literally and explicitly. This happens in the form of ticking a box, signing or writing a statement such as “I consent to use my email address by organization X to send me updates and offers related to product Y”.
When processing sensitive personal data (or sensitive PII) defined in Article 9 of the GDPR text, explicit consent from individuals is a requirement. Such sensitive personal data includes details of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. GDPR prohibits the process of data belonging to this category without explicit consent from individuals.
Figure 1
Design Principles for Consent Design
This section focuses on some important design principles that need to be followed during consent design.
- Active opt-in - Consent requires a positive opt-in and avoid pre-ticked boxes or any other method of consent by default. Whenever a binary choice is given, both options should have the same prominence.
Figure 2
- Informed - Consent should be clear, concise, and specific about the content. Consent should not use ambiguous or generic statements.
Figure 3
- Unbundled - Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices etc.
- Named - Consent should provide clear information about the processing organization and information about any 3rd party involved in data processing.
- Easy to withdraw - Consent should explicitly mention about the consumer right to withdraw consent given at any time with a clear withdrawal procedure. This also assumes that the processing organization has established facilities to withdraw consent.
- Granular - Organizations should provide granular consent so that consumers can consent for different types of processing separately.
Figure 4
- Continuous review - Organizations should establish a process to continuously review consent with business/system changes to ensure they comply with GDPR.
- Documented - Processing organization should keep evidence of consent given, such as who the individual is, when and how the consent for obtained, and what the individual said at the point of giving consent.
- No imbalance in relationships - When there is an imbalance between an individual and the processing organization (cases such as public authorities and employers), it is not possible to provide consent freely. In such cases, some other legitimate means should be used instead of consent.
- Time limits - There are no explicit rules about how long you can keep personal data collected for, but it is recommended to mention how long that you will store and process personal data with consent.
Policy on Existing Consent and Data
To prepare for GDPR compliance it is not compulsory to discard all your existing consent and get fresh consent from users. It is however absolutely necessary to conduct a review on the current consent management process, to check if the process is in compliance with GDPR. This way, an organization can consider if existing consent is valid and continue with data processing. If your consent management process is in compliance with current DPA recommendations, you could easily prepare for the GDPR compliance.
In case of doubts on whether the existing consent complies with GDPR, it always a good idea to discard the data and get fresh consent in a GDPR compliance manner.
Record Tracking for Consent
In order to demonstrate that a processing organization has consent from an individual, the organization should maintain the following records, and be able to present them to supervisory and legal bodies whenever requested:
- Who consented - Name of the individual, or other identifier.
- When they consented - A copy of a dated document, or online records that include a timestamp.
- What they were told at the time - A master copy of the document or data capture form containing the consent statement used at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
- How they consented - For written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation -it does not need to be a full record of the conversation.
- Consent withdrawal - If consent is withdrawn, how and when it was withdrawn.
Children’s Consent
The GDPR mandate has special provisions protect children and data processing organizations have to pay special attention when obtaining consent from children. If data processing is targeting children and is dependent on their consent, the processing organization should legal background to process personal data belonging to children. The organization needs to consider the following two requirements:
- Implement age-verification mechanism - Processing organizations must make the best effort to verify age of the children.
- Verify parental responsibility - Processing organizations must make the best effort to get approval or consent from the party which holds the parental responsibility for a child.
Additionally, the organization should ensure the consent can be well understood by children by using simplified language, suitable graphics, and animations.
Checklist for Consent
The consent checklist published by the UK Information Commissioner’s Office (ICO) can be used to check whether your consent procedure is in compliance with GDPR or not:
Asking for consent
- We have checked that consent is the most appropriate lawful basis for processing
- We have made the request for consent prominent and separate from our terms and conditions
- We ask people to positively opt-in
- We don’t use pre-ticked boxes or any other type of consent by default
- We use clear, plain language that is easy to understand
- We specify why we want the data and what we’re going to do with it
- We give granular options to consent to independent processing operations
- We have named our organization and any third parties
- We tell individuals they can withdraw their consent
- We ensure that the individual can refuse to consent without detriment
- We don’t make consent a precondition of a service
- If we offer online services directly to children, we only seek consent if we have age- verification and parental-consent measures in place
Recording consent
- We keep a record of when and how we got consent from the individual
- We keep a record of exactly what they were told at the time
- Managing consent
- We regularly review consent to check that the relationship, processing, and purposes have not changed
- We have processes in place to refresh consent at appropriate intervals, including any parental consent
- We consider using privacy dashboards or other preference management tools as a matter of good practice
- We make it easy for individuals to withdraw their consent at any time, and publicize how to do so
- We act on withdrawals of consent as soon as we can
- We don’t penalize individuals who wish to withdraw consent