If you’re struggling to understand what the General Data Protection Regulation’s (GDPR) consent requirements actually mean for your business, you’re not alone.
Consent is by far one of the most contentious issues with the GDPR – mostly due to the fact that the text lacks clear-cut examples and models of what proper consent practices should look like.
This lack of any clear guidance has opened the door for self-proclaimed “GDPR experts” to make their own interpretations and purport different versions of how to obtain lawful consent. As a result, most business owners are more confused now than ever.
That’s why the Termly team has decided to help cut through the noise, and put together a simple yet exhaustive guide on consent, as well as the best practices for obtaining it. The best part is that it doesn’t require a law degree to understand!
1. How Does the GDPR Define Consent?
Before we take a deep dive into consent, it’s important to point out that Article 6 of the GDPR stipulates that collecting and using user data is only lawful if it meets at least one of six legal bases.
Businesses must assess each point at which they collect and use personal data, and then determine whether it falls under one of the legal grounds for data collection and processing:
- User Consent
- Legitimate Interest
- Contractual Necessity
- Vital Interest of the User
- Legal Obligation
- Public Interest
If your data collection practices do not meet one of the above conditions, then they are not lawful under the GDPR, and your business is subject to hefty financial penalties. For the purposes of this article, we’ll focus on consent as a legal basis for data processing. However, we will discuss the five alternatives near the end, in case you are curious.
The Legal Definition
To get a better understanding of consent under the GDPR, let’s first look at the definition laid out in Article 4:
“‘consent’ of the data subject (user) means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The bolded words above are key to ensuring that user consent is lawfully obtained, but what exactly do they mean?
Let’s break down these terms into something we can all understand:
– Freely given: Users must be presented with an actual choice and not coerced with negative consequences.
– Specific: Consent should only be given to specific actions (e.g., weekly newsletter) instead of a broad consent to the use of data for whatever reasons a business sees fit.
– Informed: Users must understand the full scope of data collection and its use before making the decision to consent. It should be made clear that consent is being requested, and for what specific purposes.
– Unambiguous: It needs to be made obvious that the user is giving their consent.
– Affirmative action: Users must take an action to demonstrate their consent to the processing of their data. In practical terms, this means that the typical pre-checked boxes that you regularly see during an account signup process are no longer valid under the GDPR because there is no action for the user to take to demonstrate their consent. However, if the box were unchecked when first presented to the user, ticking the box would then be considered an affirmative action.
If your practices for obtaining consent are missing any of the above facets, then according to the GDPR, you are not lawfully obtaining it. Take for instance the Google GDPR fine that cost the tech giant 50 million euros for violating GDPR consent requirements.
To address the definition above, there are several conditions you’ll need to meet:
- Document Consent: Businesses must maintain a record of all users’ consent, including how they consented, what exactly they consented to, and when they gave their consent. This is essential for protecting your business, and will serve as evidence in the event that a user claims they did not give their consent.
- Make it Easy to Withdraw Consent: Businesses should make it as easy to withdraw one’s consent as it is to give. Users should be given the ability to withdraw their consent at any time through a clearly defined process.
- Unbundle Consent: Consent should not be a precondition to complete a contract or receive a service – unless absolutely necessary to perform the contract or service. Users should be able to decide against consent without consequence.
- Make It Granular: Users should be able to issue separate consent to different data-processing activities. Each processing purpose requires separate consent.
- Avoid an Imbalance of Power: This mostly pertains to the employee-employer relationship in which the employee feels pressured to give consent for fear of losing their job.
Unambiguous Consent vs. Explicit Consent
When it comes to processing ‘special categories’ of user data, Article 9 states that the data controller must first acquire explicit consent. Under the GDPR, ‘special categories’ (aka sensitive personal information) refer to any information regarding a user’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- sex life or sexual orientation
But what’s the difference between explicit and unambiguous consent?
You’re probably wondering, if all consent must already be freely given, specific, informed, unambiguous, and affirmative, what’s the difference in making it explicit?
Explicit consent must come in the form of a statement – written or oral.
Let’s consider two examples:
Although the website above is clear about the processing activity, and the user must take an unambiguous affirmative action for their data to be processed, it could still be argued that the consent is not explicit because there is no statement that definitively says that the user is providing their consent to receive newsletters and promotions.
Unlike example #1, the company above presents two clearly written statements with boxes that the user must tick to consent to the processing of their data.
While the difference may seem subtle when reading the actual text of the GDPR, the examples above make clear the distinction between unambiguous and explicit consent.
2. Do I Need to Obtain Consent?
Now that we’ve covered what consent is, let’s determine whether or not your business needs to use consent as a legal basis for data processing.
You Should Use Consent as Your Legal Basis if:
The other 5 legal bases (legal obligation, contractual necessity, etc.) do not apply to your data processing activities
You are processing ‘Special Categories’ of personal information (race, religion, etc.)
You want to give your users a legitimate choice
You want to build user trust and engagement
You send marketing emails such as third party offers and newsletters
You Should Not Use Consent as Your Legal Basis if:
There is another legal basis that is better suited to apply to your data processing
You will not provide a way for users to easily withdraw their consent
The choice to consent is not actually genuine and you’ll process the user’s data regardless of whether they consent
Consent is made as a prerequisite to receive a service, but collecting that data is not actually necessary for that service to be performed
There is an imbalance of power between the data controller and the subject, where the subject may feel pressure to give consent (e.g., employer and employee)
3. GDPR Consent Examples & How-To
Deciding exactly how to set up your consent request is arguably the trickiest part of complying with the GDPR’s consent requirements. Sure, now you know the definition of consent, as well as the various requirements for legally obtaining it, but how can you put that all into practice on your own websites and apps?
Below, we’ll walk you through the four main components of a GDPR consent form, and provide you with some examples of companies that are doing it right.
a. Consent Request Wording
As we mentioned earlier, consent must be specific and informed. This means getting the opt-in wording of your consent request or form right is an absolute must.
Let’s take a look at the BBC’s signup form below:
The first thing you’ll notice is the question asking for consent to send email updates to the user. On its own, “email updates about things you’ll love” isn’t all that specific, nor is it informing the user of the purpose of the updates.
However, the BBC goes on to provide a short blurb that informs users what the email updates will be about. On top of that, they also make it clear that consent can be removed at any time, and provide a link that further explains the specifics of the email content.
While the BBC gives us a good example of how we can word our consent request, there are plenty of other ways you can phrase it.
Here are more examples of opt-in wording that you can use in your marketing consent request:
- “I would like to receive product updates from [Brand]. You can unsubscribe at anytime.”
- “Yes, please subscribe me to [Brand]’s weekly newsletter. You can unsubscribe at anytime.”
b. Where to Place Your Consent Request
Where and when you ask for user consent can be tough to get right, because they require you to consider a number of details.
Here’s a checklist of things to consider when deciding the placement of your consent request:
How you SHOULD do it:
Below is an example of how GitHub – the web-based hosting service – requests consent. GitHub does a good job of asking for consent for separate data processing activities.
During their signup process, GitHub presents users with two separate opt-in consent statements – the first asking users for permission to set up an organization, and the second requesting to send news and offers.
Lastly, they also mention how the user can unsubscribe at anytime, and they even link to a post on all the types of emails they send.
GitHub checks off all the boxes when it comes to their consent request placement:
Consent is asked before collecting data
It’s prominently placed
They request separate consent for different activities
There is a clear choice for the user
There is no influence of the user’s choice
c. Information to Include
There are 3 basic pieces of information that you should include in your consent request:
- Who is doing the processing
- The purpose of the processing
- What you will be doing with the data
In addition to the three requirements above, it’s also best practice to mention that consent can be withdrawn at any time, and how users can withdraw it.
The example above, from Friends of the Earth Scotland, hits all of the required points. We know:
That FoE Scotland is processing the information to send their newsletter
What the contents of the newsletter will be
How to unsubscribe
d. Possible Opt-In Actions
The last piece you’ll need to consider when constructing your consent request is deciding which opt-in action the user must take to offer valid consent.
Possible actions could be:
- Ticking a checkbox
- Signing a consent form
- Selecting user preferences
- Clicking a radio button
- Filling in optional form fields for a specific purpose
Putting it all Into Practice: The Good, the Bad, & the Ugly
To get a better idea of how to actually follow through with the above requirements, let’s assess some other examples from around the web.
How NOT to do it:
First, let’s take a look at some styles that simply won’t work for the GDPR:
There are several issues with the consent statement above:
Users have to opt out (checkbox already pre-clicked)
“Select partners”? Who are they? Will they have access to user data?
“And more”? More what? What else could users be unknowingly consenting to?
The user is automatically opted-in to receiving newsletters and notices
Will the user be able to opt out later?
Not only do I not know who might see my data, but it’s unclear the extent to which my data will be processed, and how I can opt out of the newsletter.
If you set up your popup or GDPR consent form like the one above, you will NOT be GDPR compliant.
Here are the things that are wrong with it:
Users have to opt out (must uncheck the boxes)
Unclear who the “partners and sponsors” might be
Unclear if the user can opt out at anytime
Unclear what “updates” might entail
Close…but still missing the mark:
The following examples get a lot of things right – some that you can even adopt yourself. Unfortunately, they’re also missing some critical pieces:
There’s a lot to like about the above consent statement. For one, the site provides details on how your data will be used and states that you can unsubscribe at any time. It also goes even further and reassures users that their data will not be sold to third parties.
However, there are two main issues:
The processing isn’t granular. If I want the ebook, I have to subscribe to the newsletter.
The text on the bottom feels hidden. The size and color make it harder to read than the rest of the text on the popup.
Ironically, the above registration form is for a GDPR webinar. The phrasing on the bottom is detailed enough – I know who’s processing my data, for what purposes, and that I can unsubscribe at any time.
The big issue with this form is that by registering for the webinar, I am automatically subscribed to receive emails AND phone calls regarding the company’s products and services. Once again, consent should be granular and unbundled, which means this form should also have separate opt-in mechanisms for emails and phone calls.
Finally, now that we’ve seen what you shouldn’t do, let’s look at some consent practices that would pass the GDPR test:
The above example from Saltare Consulting hits all the major points:
Appropriate opt-in action (filling in the form’s fields)
Specifies who is processing the data
Details what the data is processed for
Explains exactly how to unsubscribe
Our final example comes from Data Protection Network. Here’s what we love about their membership form:
Appropriate mailing list opt-in action (toggle)
Separate terms and conditions opt-in
User doesn’t have to click a link to read the terms and conditions
Clarifies how to opt out
Re-Permissioning Your Old Contact Lists
At this point you’re probably wondering, “Does the GDPR apply to my old contact lists?”
It might hurt to hear, but the GDPR does indeed apply to any user data you may have collected in the past. But don’t start deleting your old mailing lists just yet. You still might be able to salvage your old contact lists by launching a re-permissioning campaign.
The first thing you’ll need to do is go back and verify how you collected these old contacts. If the methods you used to collect user data meet the requirements of the GDPR (you collected proper consent and have the records to prove it), then you do NOT need to re-permission your old list.
However, if your old data collection methods don’t satisfy the GDPR’s consent requirements (e.g., your newsletter was NOT opt-in), then you’ll either need to run a re-permissioning campaign or purge your mailing lists. We’ll take a guess and assume you’d rather not see all that work you put into building your contact lists go to waste.
The most common method of re-permissioning is to send an email to your old contacts and inform them that they must re-subscribe if they wish to continue receiving offers, newsletters, updates, or whatever they signed up for originally.
Here’s how Litmus re-permissioned their old lists:
Litmus’ email is a great model for an email re-permissioning campaign. The wording is light, friendly, and straight to the point. The user is presented with a clear list of what they will receive if they re-subscribe, and how to unsubscribe at anytime.
The most important part of your re-permissioning email is to remember that if a user does not opt in, their data must be deleted. If you don’t, you’ll likely face harsh financial penalties.
Emails are not the only way to re-permission your old contacts. Visual Retailing has created a separate page on its website to sign users back up to their newsletter:
Again, the wording is uncomplicated, and clearly presents the situation to old subscribers. Users are given details on what’s included in the newsletters, how often they are sent, and how recipients can unsubscribe.
Exactly how you decide to structure your new consent mechanisms and re-permission old contacts largely depends on the user data you collect, but if you follow the guidelines and examples listed above, you’ll be in good shape.
4. Recording & Managing GDPR Consent
Even if the opt-in action, wording, and placement of your consent request all perfectly satisfy the requirements of the GDPR, collecting consent is just half the battle. Under the GDPR, you must also make sure you maintain a detailed record of your users’ consent.
Article 7, section 1 states that:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Basically, this means businesses need to maintain a detailed record of all users and their consent details. This will be especially helpful as evidence, in the event that a user accuses you of collecting their data without their consent.
What information should be recorded?
The records you keep on your users’ consent details should be as specific and detailed as the consent itself. You should have a record of the following:
- Who: Name, user ID, email address, or other identifiers (e.g., IP address)
- When: Timestamp of when the user consented
- How: The specific form or place on the site where the user consented (e.g., popup vs. signup form)
- What: What exactly they consented to (e.g., weekly newsletter vs. third-party offers)
- If and when they withdrew their consent
How should you allow users to manage their consent?
In Chapter 3 of the GDPR, articles 15 through 21 cover the specific rights that users have regarding the data collected from them. Among the most noteworthy are the user’s right to access, change, transfer, delete, and object to processing of their data for specific purposes at any time.
While these new rights are great for users in that they put control of their data back in their hands, they present unique challenges to the businesses responsible for upholding them. How can a business offer these rights without hiring a dedicated customer service team?
Most companies address these rights by offering users a privacy center. Put simply, a privacy center is a set of pages that presents all of a website or app’s policies, terms, and user preferences.
Check out snippets of SnapChat’s privacy center below:
Snapchat has an informative, user-friendly privacy center. In the screenshots above, you’ll notice how they explain their privacy measures, as well as how users can control their information. Their “Manage My Account” dashboard provides several action items for their users to take with their data.
Although a privacy center is one of the best ways to give your users control of their data, if you’re a small business owner, building one is likely not within your budget.
Fortunately, privacy centers are not the end all be all – the most important thing is that you give users a clear and simple way to request to see, transfer, update, or delete their data at any time.
Termly offers such a solution. Our simple data request tool gives business owners an easy way to help satisfy the articles under Chapter 3 of the GDPR. With our tool, businesses can give their users a form to request to view, edit, transfer, or delete their personal data.
After a user fills in the form, business owners will receive the request, along with a checklist on how to address it. Under the GDPR, businesses have 30 days to respond to the request.
5. Alternatives to Consent
As we mentioned in the first section, it is possible that consent might not be the best justification for your data collection and processing practices. So before you decide to begin implementing consent request strategies for your data collection and processing practices, you should consider the other legal bases offered by the GDPR.
There are five other legal grounds that may end up being more applicable:
Legitimate Interest – The most ambiguous of the legal grounds. Allows businesses to collect and process data without user consent as long as it doesn’t impede on the user’s rights and freedoms. Businesses should conduct a balancing test to determine whether this is an appropriate legal basis. Although the GDPR is unclear, it does provide some examples of what would constitute as a legitimate interest:
- Fraud Prevention
- Internal Administrative Purposes (e.g., payroll)
- Market Research
- Contractual Necessity – The processing of personal data is allowed if it is absolutely necessary to perform a service or fulfill a contract with a user (e.g., processing a credit card number and contact information in order provide the user with an account)
- Vital Interest of the User – Applies if processing is necessary to protect the vital interests of the user (usually only applies in a life or death situation)
- Legal Obligation – Permits the processing of personal data if it is necessary to comply with a law (e.g., a criminal investigation or a court subpoena)
- Public Interest – Applies if necessary to perform a task for an official authority or for the interest of the public (should only really apply to government-related organizations)
6. Additional GDPR Resources
The GDPR covers much more than just consent. For further guidance on complying with the regulation, check out our other GDPR resources: