GDPR Consent

In May 2018, the EU fired the Internet privacy shot heard around the world. Did you miss it? Likely not.

If you opened your email inbox in May, you likely noticed one thing: an onslaught of emails, from addresses you do and don't recognize, informing you that they've "updated their privacy policy."

For Europeans, it was another of the daily reminders that a new data law was about to come into place. But the flurry of consent emails left the rest of the world scratching their heads, Why is everyone updating their policies and asking for consent to them at the same time?

The reason was the introduction of the General Data Protection Regulation (GDPR).

Much of the GDPR is concerned with obtaining consent from visitors. To do that, you'll likely need to update your consent standards and mechanisms.

We'll make it easy to update your consent standards and stay online.

GDPR: What is it?

The GDPR isn't your enemy. It's a layer of protection for citizens - and it has some benefits for businesses, too.

At its core, the GDPR is a love letter from European bureaucrats to digital privacy rights. It took some of the best parts of the previous policy - the Data Protection Directive - and updated it for the modern, social internet.

The purpose of the rules was to bring every European country's data policies into sync to protect all EU citizens equally. The European Commission and leaders across the continent saw that the world became increasing data-centered in the time between the first data directive in 1995 and the way the internet is used now.

The GDPR is unlike anything currently in place in the United States. The US pieces together a mish-mash of federal and state laws to protect children or healthcare data. In Europe, the GDPR is an all-encompassing policy covering all types of data for all members of the European Union. Whether you're British or Irish, Czech or Slovak, if you're in the Union then you're covered by the GDPR.

The most important change to note is in the jurisdiction of the law. It applies to every company that interacts with personal data of subjects in the European Union, regardless of where the organization is based.

It doesn't matter if you're in New York or Nicaragua. If you're collecting data from any European from Galway to Greece, then the GDPR applies to you.

Changes in Consent Methods

The GDPR focuses heavily on consent. Gone are the days of pre-checked boxes, illegible jargon, and hidden yet binding Terms of Service. The GDPR states that:

"Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."

What does this mean for you? Your consent mechanisms must reflect the new requirements.

Consent and the role it plays in processing isn't new, and the GDPR uses the same definition and role outlined in the Data Protection Act and other policies. Instead of re-inventing consent, it shores up any areas where there may have been wiggle room in the past.

Examples of Previously Acceptable Consent

Many of your previous methods of consent no longer qualify as consent under the new law.

Here are the two most popular consent methods that now violate EU law:

Browsewrap

Browsewrap is a way of getting users to give consent simply by using a website or service. The average browsewrap method features a statement within an agreement (such as a Privacy Policy) that says:

"Please note that your use of our Site constitutes your agreement to follow and be bound by the terms of this agreement."

Here's an example of a generic browsewrap statement in a legal agreement:

Generic browsewrap clause in Terms and Conditions

In essence, it assumes that users consent to your Terms of Service and Privacy Policy when they use your site. It doesn't matter whether the user ever read the Terms of Service. Consent is implied and assumed.

The EU doesn't allow browsewrap agreements to be used for consent anymore. Consent statements hidden away on a Terms of Service page aren't clear and accessible. They also don't feature affirmative consent. The GDPR requires a user to take a specific, affirmative action to show consent.

Pre-checked Boxes

A favorite consent trick of internet marketing experts is the pre-checked box. Often used for newsletter sign-ups, these boxes are featured on forms and require the user to un-check the box if they don't want to agree to something.

These are no longer allowed.

In the below image, both boxes would need to be presented as unchecked to users:

The Noun Project create account pop-up with pre-checked box for email signup consent: Not GDPR compliant

Mandatory Consent

You're not allowed to punish users for not consenting to your policies. If a user doesn't agree to your cookie policy, you can't ban them from your site.

Until May 25th, 2018, consent was a one-off decision that may or may not have required an individual to tick a box or push a button to consent to your policies. If you used browsewrap, then it only required using the site.

Now, consent isn't something that happens once. It's organic and alive. Consent is an ongoing relationship that allows people to opt-in and opt-out to various data uses as they choose.

The GDPR requires:

  • Keeping good records of consent
  • Providing granular opt-in methods
  • Providing simple, easy ways of withdrawing consent

Remember

The GDPR looks for consent mechanisms that are straightforward. Do the following when asking for user consent:

  • Add an "I agree" button or some sort of clear, active way to give consent.
  • Use granular methods. Ask for consent for different things separately.
  • Link your different policies and agreements to where you're asking for consent.
  • Make it as easy to withdraw as it is to give consent.
  • Get rid of browsewrap, pre-checked boxes and mandatory consent requirements.