One of the after-effects of the GDPR is the flurry of opt-in emails, forms, cookie pop-ups and banners seen everywhere on the internet. GDPR consent laid the groundwork for such changes. It meant businesses have to obtain consent before collecting consumers’ personal data and processing it any further.
What is GDPR consent?
GDPR requires businesses to establish a lawful basis for processing consumer’s personal data. Under GDPR, processing includes any operation which is performed on personal data such as collection, recording, storage, adaptation or alteration, restriction erasure etc. Broadly, it covers any use of personal data not just of your consumer.
Consent is one of the lawful bases for data processing. GDPR consent should involve a clear affirmative act establishing that the consent is freely given, specific, informed and unambiguous. Consent requests should also be available in clear, plain language and be “clearly distinguishable from the other matters”.
What does this mean for your business? Any marketing or sales communication such as emails, newsletters, push notifications, SMS, marketing calls, etc. requires the user’s opt-in consent. The exceptions being service messages like order confirmation, order tracking etc. are not subject to GDPR consent as the legal basis for such communication may be the fulfilment of a contract.
Freely given consent
Individuals must have a clear and genuine choice over how businesses use their data. Consent will not be free if users are unable to withdraw or refuse consent or face discrimination in the product or services as a result of their choices.
In scenarios where collecting and processing consumer’s personal data is vital to perform your business or enter into a contract with them, you should consider using another valid basis for processing. Similarly, it is difficult to establish valid, freely given consent when users are consenting to public authorities, employers or other organizations in a position of power
Consent must be specific i.e. granular and relating to a distinct processing activity. When a user gives consent, the purpose for processing the data needs to be clearly known. The purpose needs to be limited, specific purpose, and cannot be changed or modified after obtaining consent. If the purpose of the processing activity for which consent has been given changes, businesses have to ask for consent again.
The user must be informed clearly and transparently before giving their consent. This applies to information about data processing and the rights consumers have under GDPR, including withdrawal of consent.
Recital 42 of GDPR points out that “for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended”.
The WP29 guidelines on consent state the following as minimum requirements for GDPR consent.
- Identity of the controller
- Purpose of each processing for which consent is asked
- Data and type of data that will be collected and used through consent.
- Information about the right to withdraw consent.
- Information regarding the use of data for automated processing including profiling
- Possible risk of data transfers to third countries in case of an absence of adequacy decision
GDPR consent has to be unambiguous and given by a statement or by a clear affirmative action. This means consent is not valid if it involves pre-ticked boxes, silence or inactivity. A clear affirmative action such as opt-in can only constitute a deliberate, active choice by a user while pre-ticked boxes and ‘on’ toggles do not.
The WP29 guidelines note that consent should be distinguishable from other actions and consent mechanisms should avoid ambiguity. Actions such as merely continuing the use of a website or scrolling cannot be inferred as an active choice by the user.
Article 7(3) of the GDPR endows individuals the right to withdraw consent at any time. It should also be as easy to revoke consent as to give consent. This means users can withdraw previously given consent whenever they want by opting out, and businesses must honour the user’s decision.
Proof of consent
GDPR also requires businesses to demonstrate proof of consent if the need arises. You need to keep documentary evidence of consent and prove that users made an informed choice such that the consent obtained is valid.
It means that you must be able to provide proof of:
- When and how you got consent
- The user who gave consent
- What specifically they consented to
GDPR consent also means that the consent is explicit. Explicit consent is required under certain situations where there is a serious risk to data protection and a higher level of control over processing personal data is required.
The need for explicit consent is referred to separately within the GDPR, namely in scenarios involving processing of sensitive categories of data, or for transfers of data to third countries or for automated decision making.
Processing sensitive personal data
Processing sensitive personal data that involve information about racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, and biometric data is prohibited under the GDPR.
One of the exemptions that are applicable in this case is if the individual whose sensitive data is being processed has given explicit consent to the processing of the personal data for specified purposes.
Transferring data to third countries
Under GDPR, transfer of personal data to a territory outside the EU i.e. a third country is based on an adequacy decision by the EU Commission.
When a business is transferring personal data to a third country or international organization, they can do so with no specific authorization if the third country, or organization ensures an adequate level of protection.
If an adequate level of protection is not present, data transfer is possible if the data subject gives explicit consent. In such cases, businesses have to give full disclosure of the potential risks due to a lack of appropriate safeguards.
GDPR gives individuals the right to object to automated processing, including profiling of their personal data. The three conditions under which automated decision-making is allowed are — for the performance of the contract, the processing is authorized by the EU or member states, and when it is based on explicit consent.
According to Article 22 in case of contract and explicit consent, the business needs to implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.”
Consent fatigue and dark patterns
While privacy notifications and opt-in forms have become commonplace, consumers have reported what is referred to as consent fatigue. A Cisco survey noted that while 52% of respondents said that they felt more in control of their personal data post GDPR, 47% reported having received too many privacy and GDPR related notices.
On one hand, users can be overburdened with too many popups and banners every time they access a website, read a blog, purchase goods or services. On the other hand, some businesses completely ignore or take a careless approach to GDPR consent requirements. Studies have found dark patterns in the cookie consent mechanism that veer users towards privacy-unfriendly choices. Research of the top 10,000 websites in the UK found that only 11.8% meet the minimal requirements of European privacy laws.
Want a GDPR Compliant Cookie Banner For Your Website?
Sign up on CookieYes and create your own fully customizable cookie consent banner to comply with privacy laws like the GDPR, CCPA, LGPD, CNIL and more. You can also geo-target and auto-translate your banner to over 30 languages and record all user consents.Try it for free
Privacy laws have been driven by rising consumer expectations. Businesses, especially the ones with an online presence, therefore should strike a balance between GDPR consent needs, consumer expectations and regulatory compliance without compromising on their brand experience.
Here’s a list of GDPR Compliance Checkers that help you determine your website’s GDPR compliance.
How to obtain GDPR consent?
Active opt-in forms
In June 2021, UK’s regulator ICO fined Papa John’s £10,000 for sending marketing texts and emails without active consent from users. If you want to steer away from fines, you should adopt a GDPR-friendly consent mechanism.
If you collect information for marketing emails, and newsletters, you should seek active consent from users. The forms should include an opt-in method such as a tick-box. Avoid pre-ticked boxes or any other method of default consent. Users must be informed of why you collect the data and agree to be contacted by you. Contact forms could even have a tooltip for each data field as a second layer of information, so there is no scope for ambiguity.
Double opt-in emails
A good practice for your marketing mailing list is to enable double opt-in. The user first signs up via a subscription form and then receives a confirmation mail which the user has to click to finalize their subscription to your service.
For GDPR consent, it’s vital that your business can provide proof that a user has given their consent. A double opt-in ensures that the consent is active, not passive i.e no pre-ticked boxes or implied consent. It allows no scope for dispute as users have entered their details in a sign-up form and clicked a link in their inbox. While double opt-in is not required under GDPR, it is a foolproof way to demonstrate that users have given unambiguous consent.
Read more about opt-in and opt-out and how to implement them.
Opt-out/unsubscribe from emails
GDPR also requires that users be able to withdraw their consent easily. This means your marketing emails should have an opt-out mechanism. This could be a simple unsubscribe button. While most emails have a default unsubscribe option, it’s a good practice to add a custom unsubscribe or opt-out message in your email footers.
Ensure that opt-out of emails is simple and clear and does not involve multiple steps or other barriers that may jeopardize your GDPR compliance.
Cookie consent banner
Read this detailed checklist on the best practices for a GDPR compliant cookie consent banner.
CookieYes for GDPR cookie consent
The CookieYes banner can be fully customized for content, colour, layout, behaviour and can be geo-targeted and auto-translated in over 30 languages. It also features an auto-updated cookie table and revisit consent widget.
You can also comply with multiple data privacy laws like the GDPR, CCPA, LGPD, and CNIL at the same time. With CookieYes, you can
- Add a fully customizable cookie consent banner
- Block third-party cookies automatically till you obtain user consent
- Check cookies used by your website with automatic scanning
- Record user consent for demonstrating proof of consent