Welcome to part two of our ongoing General Data Protection Regulation (GDPR) basics blog series. Part one--covering who the GDPR applies to can be found here. Now we’re diving into the what you need to know about GDPR consent. What does it mean to gain and track consent according to the GDPR?
The General Data Protection Regulation is a regulation that is meant to strengthen data protection for individuals within the European Union. The GDPR provisions are identical across EU member states, which simplifies compliance. Many businesses headquartered outside the EU will have to comply with the GDPR as it also addresses the transfer of personal data of EU citizens outside of the EU. More information can be found in our previous blog.
The ultimate goal of the GDPR is to restore control to EU citizens over the use of their personal data. This means you need to be able to prove when and where EU citizens gave you consent to use their data. This blog will help you understand what consent is, what information it applies to, what you have to do to gain consent, and what noncompliance could look like for your company.
What is consent according to the GDPR?
Consent under the GDPR is an affirmative permission given by the user to use their personal data in an appropriate capacity.
What do you have to do to gain consent?
Under the GDPR, consent has changed. Gone are the days of the sneaky “opt-out” box that confused users about the status of their consent. In May 2018, businesses will have to gain affirmative consent. What is affirmative consent? That means that the user will have to give consent by a “clear affirmative action.” Under the GDPR, consent must be “freely given, specific, informed and unambiguous.”
- Freely given: There cannot be a vast imbalance of power between the user and the business. Consent is not freely given if the terms of consent are unconscionable and bind the user. Services rendered cannot be based on consent unless the information that requires consent is necessary for the service. Also, consent is not freely given if the user must consent as a package deal to the use of their personal information. Users should have the right to opt-out of the use of any information that is not relevant to the service being rendered.
- Specific/informed and unambiguous: Users must know what they are consenting to, which means that consenting to the use of personal information must be “clearly distinguishable” from any other matters in a written document. Consent must also be delivered “in an intelligible and easily accessible form, using clear and plain language.” You can’t use legal or tech jargon to confuse users into consenting. The law exempts businesses from obtaining consent for later data processing operations if the operations are “compatible” in scope and nature. Businesses cannot obtain blanket consent and then use that consent as they see fit during later operations.
- Children: Children are restricted from giving consent without parental authorization. The official age of consent for this matter is 16; however, member states can set the age lower, but cannot go below age 13. Understanding that it may be difficult to be sure that parents are giving consent for minors, the GDPR requires that businesses make reasonable efforts to verify parental consent.
A key component to consent is the users right to withdraw. Withdrawing consent should be an option that users are aware of, and the process of withdrawal should be as simple as the process to grant consent. Withdrawal of consent means that your business should completely remove the record of the data subject. If they wish to continue a consent-based service down the line, then they will need to reaffirm.
What information does consent apply to?
Consent applies to the personal information of the data subject. This information is outlined in the “Who” blog. Where a user’s personal data is used or processed, that user must give affirmative consent.
What does noncompliance look like for your company?
Failing to comply with the GDPR could subject your business to substantial fines. The GDPR articles state that the penalties be effective, proportionate and dissuasive. Businesses face fines of 10,000,000 EUR (USD 11,865,500.00) or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR (USD 23,729,200.00) or four percent of global turnover. Violations concerning consent come at a higher price point.
What can PactSafe do to help?
We have created a Privacy and Consent Gap Assessment to help your company see where you fall concerning the GDPR and consent. One of the great reprieves from the GDPR is that businesses may retain consent given prior to May 2018 if it complies with the GDPR consent standard. Let us help you see if you’re falling between the cracks with your consent standards.