GDPR – Building Consents and Privacy Notices

By Katerina Foretova in GDPR
·10 min read

Better company/customer relationships, improved customer engagement, increased company reputation... you may have heard these all are the benefits of getting GDPR-compliant consents right. And that is absolutely true! It is just that consents are sometimes quite difficult to get, correct?

Alright, so let’s have a look at what GDPR has to say about consents, how we understand them and what needs to change on our online forms before May 25, 2018. As part of my research about GDPR consents, I have also examined some company websites to bring you examples of how others deal with consents and privacy notices under their online forms.

Asking For Consents

There are plenty of things you need to keep in mind when building consents on your website, and it can be quite an overwhelming task. What can definitely make your life easier is the ICO’s Asking for Consents Checklist, I found it extremely useful, and I will work with it as a layout for today's article.

Let me now go through the checklist, explain each box in detail, and give you some examples from different company websites.

  • We have checked that consent is the most appropriate lawful basis for processing.

Under the GDPR, a company may process the data of individuals only if there is a lawful basis for such processing. Your task is to determine which of the 6 lawful bases described by the GDPR is the most appropriate one for your scenario/s depending on the purpose of your processing and the type of relationship you have with the data subject. Keep in mind that none of the lawful bases is better than the other, you need to review your scenario and select the lawful basis that best suits it.

If you still need to keep processing the data despite the fact people refused to give you their consent, you may probably need to back up your processing with a different lawful basis. That is why it is so important to determine the right basis at the beginning before the personal data processing happens.

For the purposes of this article, let’s assume we have determined a consent as the most suitable way of processing.

  • We have made the request for consent prominent and separate from our terms and conditions.

Consent requests must be separate from other terms and conditions, you should not bundle consent and T&Cs altogether under one option.

Have a look at the following example of ASDA Groceries that do a good job when providing information about their general T&Cs and ask for consent with sending marketing offers as a separate action. However there is a huge problem with the way the consent is formulated (opt-out consent) but more on this later on in this article.

  • We ask people to positively opt in.

Under the GDPR, consent should be given by a clear affirmative act. That means individuals must take deliberate affirmative action to opt in. Opt-in boxes, YES/NO options, or clicking opt-in buttons, all these count as a positive opt-in act.

The following privacy notice is a great example on how to let people knowingly agree with receiving marketing communications when signing up for Manchester United fan club.

 

Attention: Failure to opt out cannot be considered consent. You should not take advantage of the inattention or inactivity of your website visitors.

I am sure Netflix is already working on re-wording their sign up form opt-out consent.

 

  • We don’t use pre-ticked boxes or any other type of default consent.

Pre-checked opt-in boxes are invalid. You may not rely on the silence or inactivity of your website visitors to disagree with a box that was ticked by default. As described in the previous example, failure to opt out is not a consent. There must be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose.

In fact, ban on pre-ticked boxes is nothing new for many countries around the world. For example, Canada, Australia or Germany have already adopted this before.

Unfortunately this is not true for the United States where pre-ticked boxes are still the way to grow your contacts lists, as you can see in the example below from New Your Times website. Even though I entered the site from inside the European Union, the box has still been pre-ticked. After May 25th, this could be considered a GDPR violation.

  • We use clear, plain language that is easy to understand.

When writing your consents, you should use easy to understand, clear, and straightforward language that will not leave any doubt in your audience. You should definitely avoid using jargon, double negatives, or vague sentences that could confuse your website visitors. Just place yourself in the shoes of your visitors, and put together a consent you think they would understand, then have multiple people read the consent aloud. Any changes to it?

What do you think about the following example? Personally, If find it very confusing. The wording itself is quiet clear but the order in which they provided the information made me doubt whether to check off the box or not in case I do not want to receive their special offers.

  • We specify why we want the data and what we’re going to do with it.

Amongst other characteristics, consent must be specific and informed. What does it mean? You simply need to make sure your website visitors know why there is a need for their personal data and what will happen with it once it is provided—for how long you will keep the data, whether you will provide it to someone else, etc.

Here is an example from the ICO website itself showing a privacy notice under a job application form.

As you can see the information you may need to provide at the time of collecting consent may be quiet extensive. You do not want the information to be disruptive for the website visitor so what you can do, and what ICO suggests too, is use ‘just-in-time’ notices. The explanation of why there is a need for such data would appear at the point the person puts the cursor inside the field.

  • We name our organisation and any third-party controllers who will be relying on the consent.

Not only do you need to provide your company name but also the names of any third parties who will get access to your personal data.

Another example was taken from the Forbes magazine. If the same sign up form was used for subscriptions from EU countries, they would probably need to provide more information on what „carefully selected partners“ we talk about here. However the form is only used for Canada and the USA so they are on the safe side. (Of course another problem would be the pre-ticked YES boxes).

  • We give individual (‘granular’) options to consent separately to different purposes and types of processing.

If the way you want to contact your website visitors in the future is either by email or by phone you you should let them choose which type of communication they prefer with you. However if you think this would be too disruptive for the user experience, you can put all types of processing or purposes under one option, as a minimum it can count.

Here is a nice example from the MAC Cosmetics check-out process that gives you a choice of whether to start receiving marketing information via email, SMS (text), or both.

And here comes another example from the Uber sign-up form. Uber takes the opposite approach from MAC as it informs you of the different types of processing of your data altogether. This is ok under the GDPR only if there is no one left aside. What I find a bit sneaky is that you cannot really refuse getting your data collected and processed for marketing purposes.

  • We tell individuals they can withdraw their consent.

People must be able to withdraw the consent they gave you at any time, optimally, the same way as when the consent was given. It should be easy to do, preferably one-step process.

It is suggested that when asking for consent, you should already provide information on how to withdraw consent once it is given.

Here is again the example from the Manchester United sign up form  that clearly explains that the consent can be revoked in the Preference centre. 

 

And so here it is, nicely done, right?

  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.

I have bundled these two together as they are very similar. Now, when we look at the definition of consent, we know it must be freely given. It means you give people genuine choice and control over how you process their data. The consent cannot be considered as freely given if you penalize those who refused to give the consent e.g., by restricting access to your service.

If the processing is necessary for the service, consent is unlikely to be the most appropriate lawful basis for the processing. You may want to rely on ‘legitimate interests’ in such cases.

Here I have a head-scratching example. When I access the British Airways site, I get a pop-up window that cannot be closed or skipped. If I am in urgent need of a flight, I do not have any other option than clicking the Continue button that makes me automatically agree with their Privacy Policy. If consent is the lawful basis they rely on in this case, they may need to reconsider the pop-up.

How Kentico Helps

All right, I hope consents have become a little clearer to you after going through all these examples. Now it is time to see how Kentico can help you with building consents on your website.

There have already been quite a few articles published on the Kentico and GDPR topic. You can find them all by clicking the GDPR link at the top of this page. 

Today, I would like to show you how to add consent boxes under your online forms. Let’s imagine we are running a Barista competition on our Dancing Goat site that will allow people to show off their coffee making skills and win some prizes.

If we want to use their information only for the purposes of the competition (e.g., send them info about the venue), we can rely on “legitimate interest” as a lawful basis for the data processing as individuals expect their data to be collected for this purpose. However, we would also love to stay in touch with them once the competition is over so we can email them from time to time about our coffee offers. This is where we will need their consent.

First thing to do is to set up our consent in the Data protection application. The Consents tab is where you need to create a new consent and write down its Short and Full version. In forms, you need to display the short one on the form itself, the full version, on the other hand, should be on your Privacy Policy page. I will only set the Short version

I will now move to the Forms application to update the form that I prepared for the competition. I will add the consent checkbox as a new field on the Fields tab.

You can now display the form with the consent checkbox in the Pages application using widgets or web parts.

If you want to read more on how to add consent boxes to your newsletter subscription forms, check out our article Email Marketing Consents in Kentico 11.

DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.

By Katerina Foretova in GDPR
search
Gartner report
We're named a Challenger in the 2018
Gartner Magic Quadrant for WCM!
×