To comply with most privacy regulations, including the GDPR, businesses are required to obtain permission from data subjects to collect and process their personal data.
There are many ways to collect consent, but it will only be valid if you follow some requirements.
Let's talk about how to collect and manage valid consents 👇
In order for consent to be considered valid under the GDPR, it must be freely given, specific, informed and unambiguous.
For a consent to be freely given, people must really have the choice to give their consent or not. Which means they must be able to decline the data collection and/or processing ❌ But not only that!
Other contextual conditions must be met:
In practical terms, consent will not be freely given if your business is to sell and deliver products to people, but delivery is submitted to people giving their consent to receive your newsletter.
For a consent to be specific, people must be informed about the specific purposes for which their personal data will be used, and must give their consent for each specific purpose 🎯
As a result, you can't bundle different purposes of processing into a single consent. For example, you should not ask for consent to use personal data for both direct marketing and research, as these are two different purposes and individuals should be able to give their consent for one and not the other if they want to.
For a consent to be informed, people must be fully aware about how their data will be used and who it will be shared with 📩
In a nutshell, people must take a clear and affirmative action to give their consent, such as ticking a checkbox or clicking a button ✅
"Taking an action" implies that consent can't be given through inactivity or silence. You can’t use pre-ticked boxes or opt-out consent which are not considered as valid (except certain conditions like B2B prospecting for opt-outs).
Also, businesses must make sure that people understand what they are consenting to, without confusion or ambiguity.
Collecting a valid consent is important, but your job doesn't end here 😅 Consent can evolve over time and you have to make sure that people can modify their consent at any given time.
Here is what the GDPR requires:
Keep records of consent.
Businesses should be able to demonstrate that they have obtained valid consent from people. This means that they must keep records of when and how consent was obtained, including the information provided to people and the method used to obtain consent.
Provide easy ways for people to withdraw their consent.
Data subjects have the right to withdraw their consent at any time. Organizations should provide clear and easily accessible information about how individuals can withdraw their consent, and should act promptly to delete any data collected from individuals who withdraw their consent.
You can use our Data Subject Access Requests solution to easily manage consent withdrawal requests.
Refresh consent periodically.
The GDPR requires consent to be obtained on a regular basis, so businesses must refresh consent periodically (every 13 months or earlier), especially if you are collecting sensitive data.
Following these steps will help you gather a valid consent respectful of the GDPR requirements 💪
Keep in mind that privacy compliance is an ongoing process, and regular review and updates are necessary to ensure that you are meeting GDPR requirements.