GDPR Consent: How to Obtain and Manage Valid Consent

To comply with most privacy regulations, including the GDPR, businesses are required to obtain permission from data subjects to collect and process their personal data.

There are many ways to collect consent, but it will only be valid if you follow some requirements.

Let's talk about how to collect and manage valid consents 👇

Collecting valid consents

In order for consent to be considered valid under the GDPR, it must be freely given, specific, informed and unambiguous.

Freely given

For a consent to be freely given, people must really have the choice to give their consent or not. Which means they must be able to decline the data collection and/or processing ❌ But not only that!

Other contextual conditions must be met:

• People must not be coerced, forced, subject to undue influence or pressure 
• People must be able to refuse without fear of negative consequences

In practical terms, consent will not be freely given if your business is to sell and deliver products to people, but delivery is submitted to people giving their consent to receive your newsletter.

Specific

For a consent to be specific, people must be informed about the specific purposes for which their personal data will be used, and must give their consent for each specific purpose 🎯

As a result, you can't bundle different purposes of processing into a single consent. For example, you should not ask for consent to use personal data for both direct marketing and research, as these are two different purposes and individuals should be able to give their consent for one and not the other if they want to.

Informed

For a consent to be informed, people must be fully aware about how their data will be used and who it will be shared with 📩

It includes:

• Being provided with clear and easily accessible information about what personal data is being collected, the purpose of the collection, and how it will be used.
• Being informed about their rights under the GDPR, such as the right to access, correct, and delete their data.
• Being informed about the identity of the data controller and any third parties that will receive their data.
• Being informed about the existence of automated decision-making and their rights related to it.

This can be achieved through a privacy policy available on your website.

Unambiguous

In a nutshell, people must take a clear and affirmative action to give their consent, such as ticking a checkbox or clicking a button ✅

"Taking an action" implies that consent can't be given through inactivity or silence. You can’t use pre-ticked boxes or opt-out consent which are not considered as valid (except certain conditions like B2B prospecting for opt-outs).

Also, businesses must make sure that people understand what they are consenting to, without confusion or ambiguity.

How to manage consent

Collecting a valid consent is important, but your job doesn't end here 😅 Consent can evolve over time and you have to make sure that people can modify their consent at any given time.

Here is what the GDPR requires:

Keep records of consent.

Businesses should be able to demonstrate that they have obtained valid consent from people. This means that they must keep records of when and how consent was obtained, including the information provided to people and the method used to obtain consent.

Provide easy ways for people to withdraw their consent.

Data subjects have the right to withdraw their consent at any time. Organizations should provide clear and easily accessible information about how individuals can withdraw their consent, and should act promptly to delete any data collected from individuals who withdraw their consent.

You can use our Data Subject Access Requests solution to easily manage consent withdrawal requests.

Refresh consent periodically.

The GDPR requires consent to be obtained on a regular basis, so businesses must refresh consent periodically (every 13 months or earlier), especially if you are collecting sensitive data.

Conclusion

Following these steps will help you gather a valid consent respectful of the GDPR requirements 💪

Keep in mind that privacy compliance is an ongoing process, and regular review and updates are necessary to ensure that you are meeting GDPR requirements.

Using solutions like Privacyboard can help you automate your compliance process by keeping your privacy policy and other legal documents up-to-date, helping you collect and manage Data Subject Access Requests and showcasing your compliance in a dedicated privacy page.