What makes consent valid under GDPR and how to obtain it?
Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.
When it comes to the digital marketing industry, huge amounts of data from various sources are being processed in order to create profiles and serve targeted content.
As this type of processing falls under “profiling and automated decision-making” (with potentially significant effects for the users, as previously explained here), the law says that the data controllers should rely on explicit consent (hence express affirmative actions).
What marketers should be aware of is that now, acting as data controllers, they can no longer interpret the user’s browsing activity as explicit consent. So, the all too common notice “By continuing to use this website you agree to …” is not sufficient anymore. If they use applications that do profiling and retargeting for example (e.g. Facebook Pixel, Google Ads etc.), then site owners must provide users with the means for granting explicit consent and, of course, take their preferences into account.
What is explicit consent anyway?
Explicit consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes [...]"
However, consent can only be a valid lawful basis if the user is offered control and a genuine choice about accepting or declining the terms. This means that people must be able to refuse consent without detriment and must be allowed to withdraw it just as easily, at any time, with no negative consequences.
It also means consent should be thoroughly informed and rely on express actions, whilst controllers should be able to demonstrate that each individual’s agreement was freely given (and be prepared to share a record of consent with regulators!).
How can you make sure you get valid consent?
Let’s have a look at European Data Protection Board’s guidelines regarding consent:
Consent must be freely given. If the user has no real choice, feels constrained or will endure negative consequences if they don’t approve, then consent is NOT considered freely given.
There must be no pressure or influence upon the user and no bundling with the provision of a contract or the acceptance of other terms and conditions. This means that you should be very clear about your request and avoid putting pressure on your users or unfairly penalizing them if they refuse processing.
Furthermore, controllers must allow users to give separate consent for personal data processing purposes and operations. Not seeking separate consent for each purpose equals lack of freedom for the user. For example, instead of having a single “agree” or “accept” button for all the use-cases / purposes you are processing data for on your digital properties, you should have specific checkboxes or buttons for each of them. Keep in mind that it’s not about the cookies, but about processing purposes and companies handling the user’s data.
Consent must be specific and informed. This means that your users should always give consent for a specific processing purpose in relation to which they have complete information and a real choice.
The European Data Protection Board has selected the following six types of information that are needed to obtain valid, informed consent:
- the identity of the controller or joint controllers, (categories of) processors and recipients
- the purpose of each processing operation;
- data and type of data that will be collected and used;
- the fact that the user has the right to withdraw consent;
- information regarding the use of data for profiling and automated decisions;
- if there is a possible risk of data transfers to other countries.
You should process users’ data ONLY for those specified purposes that they have expressed agreement to.
Now ask yourself how much of these do you know, and how much you disclose to your users when asking for consent.
“The acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data”, EDPB states. And it goes the same for pre-ticked boxes, opt-out boxes and other default consent constructions that GDPR explicitly forbids.
Two very important aspects are being emphasized by EDPB:
How we can help
Avandor Consent helps you obtain valid explicit consent and apply it.
We’ve been working very hard to implement a solution that truly complies with the GDPR provisions, as formulated by the EDPB.
- multiple purposes for online and offline data uses,
- pre-filled data sheets for 200+ of most popular applications so you won't have to start reading their privacy policies yourself
- an embedded tag manager which automatically turns on/off processing depending on user's consent.
- Plus a ton of other features designed to help you inform and obtain consent from your users.
Georgiana BedivanHead of Compliance
We've struggled to understand GDPR so you won't have to. Learn from our experience →
Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...read more
The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.read more
Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.read more
Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.read more
Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.read more
As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.read more
Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.read more
As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.read more