GDPR consent must be actively given by the data subject
GDPR consent, including how individuals actively give consent and what it covers.
Companies must ask people’s permission to process their data. Under GDPR this is called ‘consent’.
Consent can be withdrawn by the user at any point. The company must make it simple and accessible to withdraw consent.
GDPR Article 4 defines consent as:
“any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In other words, the user must specifically take action to give consent. And the information about what they are consenting to must be offered clearly and in easily understandable terms. The information relating to consent must be written in a way that the average person can understand exactly what they are consenting to.
Use of the data cannot go beyond what is specified in this consent agreement.
Users must also take a specific action to signal their consent. This could be ticking a website box or choosing am app setting. Consent by silence or omission of information is not viable for GDPR reasons.
To understand what consent means for a business is not always immediately obvious. It is one of the more ambiguous and therefore contentious elements of GDPR. Before we go into more specifics here, it’s important to understand GDPR Article 6, which is about lawfulness of processing.
GDPR Article 6 concerns the lawfulness or otherwise of collecting and processing user data. To be lawful under GDPR, data collection must abide by six legal stipulations. Businesses must determine whether any data collection or analysis they do falls under the appropriate legal grounds, which are:
If the data collection does not come under one of these categories, it is not lawful under GDPR and can lead to large financial penalties.
This is laid out in Article 4, as described above. But what exactly does it mean for the user?
Personal/user data must be:
Consent requirements under GDPR
This is what companies need to do to meet the GDPR stipulations over consent:
GDPR Article 9 says that data controllers who are processing user data from special categories of personal data , must first acquire explicit consent. But what is explicit consent?
Explicit consent must be acquired in the form of a written statement. The company must clearly write out exactly what the data will be used for.
Companies should use consent as the lawful basis for data processing if the other legal bases don’t apply, if they are processing special categories (sensitive data), if they want to give users a legitimate choice, if they want to build user engagement, if they send marketing collateral with newsletters and third party offers.
Consent information must be easily identifiable by the user. It should be presented separately from any terms and conditions.
Consent request must be made before any user data is collected and processed.
Consent must be asked for at every separate data collection point. For example, if the user has already given their email for a downloadable ebook, they haven’t consented to other marketing materials.
They must be given a separate opportunity to sign up for other offers.
Information that must be included in the consent request includes:
The user must also be given clear information about withdrawal of consent.