For Europeans, it was another of the daily reminders that a new data law was about to come into place. But the flurry of consent emails left the rest of the world scratching their heads, Why is everyone updating their policies and asking for consent to them at the same time?
The reason was the introduction of the General Data Protection Regulation (GDPR).
Much of the GDPR is concerned with obtaining consent from visitors. To do that, you'll likely need to update your consent standards and mechanisms.
We'll make it easy to update your consent standards and stay online.
The GDPR isn't your enemy. It's a layer of protection for citizens - and it has some benefits for businesses, too.
At its core, the GDPR is a love letter from European bureaucrats to digital privacy rights. It took some of the best parts of the previous policy - the Data Protection Directive - and updated it for the modern, social internet.
The purpose of the rules was to bring every European country's data policies into sync to protect all EU citizens equally. The European Commission and leaders across the continent saw that the world became increasing data-centered in the time between the first data directive in 1995 and the way the internet is used now.
The GDPR is unlike anything currently in place in the United States. The US pieces together a mish-mash of federal and state laws to protect children or healthcare data. In Europe, the GDPR is an all-encompassing policy covering all types of data for all members of the European Union. Whether you're British or Irish, Czech or Slovak, if you're in the Union then you're covered by the GDPR.
The most important change to note is in the jurisdiction of the law. It applies to every company that interacts with personal data of subjects in the European Union, regardless of where the organization is based.
It doesn't matter if you're in New York or Nicaragua. If you're collecting data from any European from Galway to Greece, then the GDPR applies to you.
The GDPR focuses heavily on consent. Gone are the days of pre-checked boxes, illegible jargon, and hidden yet binding Terms of Service. The GDPR states that:
"Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."
What does this mean for you? Your consent mechanisms must reflect the new requirements.
Consent and the role it plays in processing isn't new, and the GDPR uses the same definition and role outlined in the Data Protection Act and other policies. Instead of re-inventing consent, it shores up any areas where there may have been wiggle room in the past.
Many of your previous methods of consent no longer qualify as consent under the new law.
Here are the two most popular consent methods that now violate EU law:
"Please note that your use of our Site constitutes your agreement to follow and be bound by the terms of this agreement."
Here's an example of a generic browsewrap statement in a legal agreement:
The EU doesn't allow browsewrap agreements to be used for consent anymore. Consent statements hidden away on a Terms of Service page aren't clear and accessible. They also don't feature affirmative consent. The GDPR requires a user to take a specific, affirmative action to show consent.
A favorite consent trick of internet marketing experts is the pre-checked box. Often used for newsletter sign-ups, these boxes are featured on forms and require the user to un-check the box if they don't want to agree to something.
These are no longer allowed.
In the below image, both boxes would need to be presented as unchecked to users:
Until May 25th, 2018, consent was a one-off decision that may or may not have required an individual to tick a box or push a button to consent to your policies. If you used browsewrap, then it only required using the site.
Now, consent isn't something that happens once. It's organic and alive. Consent is an ongoing relationship that allows people to opt-in and opt-out to various data uses as they choose.
The GDPR requires:
The GDPR looks for consent mechanisms that are straightforward. Do the following when asking for user consent: