Obtaining User Consent
While the current objective allowed companies to use implicit or "opt-out" consent this will no longer pass as consent under the GDPR which will require your website visitors to signal their agreement to their data being processed by "a statement or a clear affirmative action". This mean if you currently have automatically checked opt-in boxes you must alter them so that your visitor must check the box themselves.
In this example below the checkboxes for SMS and Email are left blank which means it requires your visitor to take action, on the other hand the Samples box is prechecked and does not require the user to take action to confirm (they have to take action to opt-out which will no longer be allowed.)
Three Important Requirements
- The right to withdraw consent at any time - it has to be as easy for your users to withdraw their consent as it was for them to give it in the first place. It is important that you make them aware of their right to withdraw before they agree to their data being processed. Once they have withdrawn their consent they have the right to have their personal data erased and no longer used for processing which will be known as the Right to Erasure.
- You will no longer be able to offer services available only on consent of data usage unless that data is essential to the service you are providing. If you ask for consent in return for a service then it will be seen as an imbalance between your user and yourself which means consent has not freely been given.
- The specificity requirement that will come into place with the GDPR, means that the request for consent to process a users data must be "clearly distinguishable" from other matters in a written text - meaning that you cannot bundle all your permissions and terms and conditions into one checkbox and also prevents you from using your visitors data for subsequent data processing tasks unless they are comptabile with the initial request (for example for scientific or historical research)
It is also worth noting that the GDPR will require parental consent to process childrens personal data
How to Tell if Your Company is Ready?
Here are a few things you can do to check if your website is ready for GDPR
- Is your data consent request sepearate from any other terms and conditions and contact requests that you have on your website? This will help ensure the the data processing cannot be tied in to any other service or information the user may sign up for on your website
- Pre-Ticked Opt-In Boxes are a No No! Check that your requests for data are double Opt-In to ensure compliance
- Does you website offer granular consent for different types of processing?
- If you pass on user data to any third parties for procecssing, are these third parties clearly named? It will no longer be acceptable to list only a category for third party organisations
- Is there information on your website for users about the right to withdraw their information in your data opt-in information?
- Do you have somewhere you can keep a record of your user consent?
For email marketing the good news is if you are just sending offers, dynamic content and you are not collecting any additional information from your subscribers then you only need the same marketing consent set out in the current directive
We Can Help
Get in touch with us an we can help you get your website ready for GDPR, contact us here