In the second part of our GDPR Compliance Roadmap series, we analyze obtaining consent from data subjects. Personal data can only be collected, maintained or used under the GDPR if an individual has given their informed consent by a recordable affirmative action. The individual must be informed before giving their consent as to what the data will be used for in all cases. They data subject must also have the right to withdraw their consent for such use(s) at any time after collection. This is a fundamental rule unless there is another legitimate legal basis for the data to be held and processed (such as in connection with a transaction or entering into a contract).
1.How should informed consent be obtained?
Businesses, website operators and marketers collecting personal data must ensure that:
- Consent is explicit and informed.
- The data is only used in respect of the reason for which consent was provided.
- Consent is not provided as part of other information, such as lengthy terms and conditions. The GDPR requires that consent is obtained separately from other terms and conditions.
- The data subject has taken an action in order to provide consent. This means that the use of pre-checked checkboxes is not a legal means of obtaining consent.
Consent should be obtained for each single-use of personal data. How websites display consent and disclosure information may need to be redesigned. Consent is required for each single data use-case in connection with collecting visitor personal data prior to data collection. In situations of multiple data use cases, visitors must be able to select those uses of their data that they agree with, and decline those they do not. All preferences must be documented and stored by website operators.
EU Data subjects need to take some affirmative action in order to provide consent. This means businesses/website operators may not use pre-checked boxes. The individual must perform the act of checking the box to unequivocally indicate his or her consent. (Opt-out methods of communication will not be allowed under GDPR because they are similar to pre-checked opt-in boxes.) The manner in which the informed consent was given must be recorded and retained. Further, any business/website operator must have informed consent before directly marketing their product or service to people, by telephone, email or text if any contact information was provided online.
TIP: The best way to obtain visitor consent is to use a pop-up window and provide a full explanation of how data will be used and include an empty checkbox. Use of an online form or sending an email is also permissible. Consent should not be obtained by contacting the individual directly by phone.
RULE: Having the ability to demonstrate when and how consent was obtained, as well as who acquired it, by documenting and storing this data is mandatory under the GDPR.
2. Is informed consent always necessary?
There are six instances under Article 6 of the GDPR which authorize a business to process the personal data of an individual without obtaining prior consent before collection:
- That consent has been provided by a data subject for their personal data to be used for a specific purpose. This consent can only be applied to that purpose. If a business or organization needs to process data for a different reason, they are required to request explicit consent to do so;
- Personal data has to be processed at the request of the data subject before a contract is signed, or the data is necessary for the performance of the contract;
- Personal data processing is required in order for the data controller to comply with legal obligations;
- The processing of personal data is completed with the aim of protecting the vital interests of an individual;
- Personal data is processed in accordance with the official authority of a data controller or in relation to actions taken in the public interest;
- Personal data is processed for the legitimate interests of the data controller or a third party except when the rights and freedoms of an individual override these interests. This type of override is especially important to consider in cases where the individual is a child.
The GDPR stipulates that at least one of the above reasons must be in place before data can be processed. It is also important to note that the Article 29 Working Party guidance states that more than one purpose should not be used for a single processing activity that has been disclosed to the data subject. Once the purpose for the data collection/use has been identified, it must be disclosed to the data subject under Article 13 of the GDPR.
3. What is a legitimate interest to collect/use data?
One of the most obvious examples of legitimate interest is when a business uses personal data it already holds for the purposes of direct marketing. Personal data that was collected before the introduction of the GDPR can be used for this reason, as long as it was provided in a consensual way and the individual can reasonably expect it to be used for that purpose only.
TIP: If a business has any doubts about whether legitimate interest is a sufficient reason to process personal data, consent should be obtained from the data subject. Personal data can also be processed at the request of certain third parties for legal or financial reasons.
4. Is prior consent required before using email addresses obtained through business cards or LinkedIn?
Under the GDPR, businesses and marketers will only be permitted to send emails to individuals who have opted in to receive such messages. It is important to note that data collectors no longer are legally be able to simply add email addresses taken from business cards or from their LinkedIn connections to their email contact lists, unless they have specific consent from the individual. Any business or marketer who wants to add an email address to a contact list needs to obtain direct consent first to do so under the GDPR. The act of giving a business card or making a connection on LinkedIn does not imply consent. In addition, emailing data subjects who had not consented to electronic communications for the purpose of asking them to opt into email marketing is not permitted under the GDPR. The law treats such emails as spam which could lead to significant fines. Finally, if an email address is to be used for separate purposes than has stated, consent must be obtained separately for each reason a business/marketer desires to use the email address.
5. What is the effect of GDPR on email use and archiving?
Here are some of the things a business or organization needs to think about when sending or archiving emails. If it does not do so it could face the imposition of significant fines.
- No email contact can be made with clients without prior consent.
- Consent needs to be explicit and informed.
- Once consent is received it can only be used for that specific reason.
- Personal data including email addresses can only be held and processed for as long as is necessary for a specific purpose. This requires determining how long archived emails need to be kept.
6. How Can Visitors/Users Withdraw Consent?
Data subjects must have an easy mechanism to withdraw consent at any time. For instance, if someone has provided consent to track them across multiple website using a unique identifier for advertising purposes, they must have the ability to opt out of such tracking easily and quickly. Use of visitor privacy settings or a dashboard that can be accessed easily from a website menu or standalone link is an example. Similarly, using a simple unsubscribe link conspicuously placed in the body of the email to unsubscribe to receiving newsletters is yet another example. Once the data subject has opted out, all personal data they have provided must be discarded, unless there is another legitimate reason for storing the data.