GDPR or General Data Protection Regulation is an EU law that came into effect on May 25th, 2018. With this law implemented, all organizations dealing with EU citizens need to obtain consent from the user before obtaining or tracking any data of theirs.
Consent plays a huge part in GDPR and proper management of consent is of high importance. GDPR ensures that proper consent is asked for the collection of data from the users. The users need to have full disclosure of how the data is being processing and why exactly the user consent they are giving in.
GDPR gives us a better understanding of the different types of data that fall under the category of personally identifiable data. Name, address, email, etc. that can directly identify an individual come under the category of personally identifiable data. The data like IP address, location, etc. can indirectly relate to an individual. And then comes the sensitive data like medical records, genetic information, etc. Under GDPR, all these data must be safeguarded by the organizations or they will be held accountable for the same.
Cookies, Scripts, and Forms
Ever felt tracked when browsing something online? Ads following you everywhere no matter which website you visit? These are the work of cookies and scripts that are set on the user's browsers or devices by the website visited by the user. The scripts track user data and store them in cookies. These cookies stay on the browser until their expiration time or until the user clears the browser cookies.
These cookies are set on the browser store information about the user's behavior on the browser. These data are then used by the third-parties to create a profile of the user's preferences and provide them with targeted advertisements, that are more likely to be clicked by the users.
Cookies and scripts track the user behavior, what links they click on and even their user history to target relevant ads. Such concerns are why online privacy laws have been introduced. GDPR is a set of such laws introduced in 2018.
Other than cookies, login data, newsletters, and forms can also be used to collect user data. While subscribing to a newsletter or contacting an organization, you are to fill in your mail id, name and other details in the online form. With GDPR implemented, the user needs to be informed first about why the data is collected, will be shared and how long will it be stored on the website.
GDPR makes sure that websites stop all tracking and processing of user data until consent is received. Also, websites must provide users access to withdraw consent at any time and ask for timely consent renewal.
Conditions of Consent Explained: Article 7 of GDPR
- The processing of user data is based on consent. The organization collecting the data must be able to demonstrate that the data subject has given their consent.
- If consent is asked for in a written format along with other matters, the request should be presented in a distinguishable and easily accessible format.
- The data subject has the right to withdraw their consent anytime. The withdrawal of consent should be as easy as giving consent. The withdrawal process must not affect the lawfulness of processing based on consent before its withdrawal.
- When assessing whether consent is freely given, irrespective of what contract the user might be under, no unnecessary data is to be collected from the user.
Methods used to obtain consent
Following are the methods to obtain consent
- One of the methods to obtain consent is ticking an opt-in box on
paper or electronically.
- Signing a consent statement on a paper form.
- Clicking on an opt-in button or link online.
- Selection from Yes/No options.
- Giving consent by responding to an email.
- Orally accepting to provide consent.
- Filling in optional information for a specific purpose
Consent Management under GDPR
To make it more clear let us discuss the terms involved with consent in GDPR more briefly.
Consent must be freely given
If you manage a website and you need to process personal data by asking for consent from users, you will have to make sure that it is given freely. The user needs to know they have a choice and should not be cornered with less information or be forced to give their consent.
Consent should be specific
This means that when the organizations ask for consent, the data subjects need to be told of all the purposes the personal data is being asked for.
Consent to be informed
Data-subject needs to be informed about the working of the website and the organization controlling it. They need to be aware of the controller’s identity and the purpose of the processing of their data.
Consent must be unambiguous
When taking consent it is to be performed in a manner such that the wishes of the data-subject is clear. Pre-checked boxes or inactivity of the data subject cannot be considered valid consent.
Is consent always mandatory?
The answer to this is No. Consent in GDPR is one of the many bases of processing obtained before processing of data.
There are other legal bases involved with the processing of user data in GDPR,
- The processing of data is allowed if the data subject is under a contract.
- The processing of data is allowed to comply with a legal obligation.
- of data is allowed when it comes to the public interest or official function.
- Processing of data is allowed when it comes to saving a life.
- Processing is allowed when in legitimate interest. However, this might not be applicable in the case of sensitive data, like that of a child.
What happens to existing consent?
As a result of the EU Directive, many organizations have already been asking for consent from users. The question most websites are concerned with is, should new GDPR-compliant consent be asked again in such cases?
Well, GDPR does lend a hand here. Existing consents will remain valid. There won’t be a need to ask users for consent again. But proper records have to be kept on how the consent was obtained from the users.
However, it is to be noted that not informing the users along with the misuse of their data will lead to non-compliance of GDPR.
GDPR brings about a new level of data transparency. All websites need to be less secretive and more open about their process. GDPR may be a complex topic but it sure is important. It not only protects the users but also the organization from overstepping their boundaries. Consent is the easiest of GDPR bases to be obtained to be in compliance with it. Managing consent is definitely quite a task but it sure is important too.
One of the tools that can help with consent management is CookieYes.
It will help you be compliant with GDPR and create a cookie banner for your website.
CookieYes will scan all the cookies on your website and arrange them in an ordered list. You can manage the list of cookies and scripts present on your website. The cookie banner will appear as a user visit your website and the cookies and scripts are only set when the user gives their consent. This makes the management of consent easier for the website owner.