A Guide to Collecting Explicit Consent Under GDPR

• Understanding and implementing explicit consent collection mechanisms is a vital piece of GDPR compliance—ensuring your organization is respecting data subject rights and maintaining trust with customers.

• GDPR-compliant consent management requires a straightforward interface for collecting consent (one that focuses on user-friendly language and transparency), as well as the ability to record and proliferate consent preferences across different systems.

• Keep reading to explore the intricacies of explicit consent under GDPR, including legal requirements, best practices for consent forms, and the consequences of non-compliance.

• Overview of GDPR and explicit consent

• Understanding explicit consent

• Creating compliant GDPR consent forms

• Managing and maintaining consent

• Legal bases for processing data under GDPR

• The consequences of consent non-compliance

• FAQs about explicit consent

The General Data Protection Regulation (GDPR) created strict requirements for processing the personal data of individuals within the European Union (EU).

A cornerstone of GDPR, explicit consent is the first step in establishing a transparent and ethical framework for processing personal data, ensuring individuals are fully informed and have actively agreed to the collection and use of their data.

Failure to comply with explicit consent requirements can lead to significant fines and damage your organization's reputation.

Securing explicit consent is not just a legal necessity, but also fosters greater consumer trust by ensuring data collection and processing is transparent and respectful of user privacy.

If you deal with any manner of personal data, you need to understand the nuances of obtaining consent from users. The devil is in the details when it comes to security and privacy, so let's go over some of those specifics.

There are many ways users can agree to share data with an organization. It may seem as simple as ticking a box or entering the data into a form, but the subtleties of data security and exchange are what make explicit consent so important.

Here are some important terms to understand around the topic of explicit consent.

Explicit consent is a specific type of consent where an individual is clearly and expressly asked to agree to a particular use of their data. It involves a direct and unambiguous action, such as signing a consent form or checking a box that is not pre-checked. Under GDPR, explicit consent is often required for processing sensitive personal data.

Informed consent is when an individual clearly understands what they are consenting to. This means that before giving consent, the individual is fully informed about the details of the data processing activities, including the nature of the data being collected, the purpose of its collection, and how it will be used or shared. Informed consent is a broader concept that applies in various contexts, not just data protection.

Valid consent refers to consent that meets all legal requirements and is therefore legally binding. For consent to be valid, it must be informed, freely given, specific, and unambiguous (more on this in a moment). It must also be given by an individual who can consent and wasn't coerced or misled in any way.

Unambiguous consent involves a clear and unmistakable action by which an individual agrees to the processing of their data. Unlike explicit consent, it may not involve a written statement or checking a box; it could be given verbally or through other clear affirmative actions.

Implied consent (also known as implicit consent) is inferred from an individual's actions or behavior rather than being explicitly or directly obtained. For example, continuing to use a website might be seen as implied consent for certain data collection practices as outlined in the website's terms of service.

However, under GDPR and similar privacy regulations, reliance on implied consent is often limited and is not considered sufficient for processing sensitive personal data.

It would be correct to say that certain aspects of informed, valid, and unambiguous consent are all present in explicit consent, as we'll explore in the next section.

Explicit consent must have four main characteristics:

1. Freely given: Consent must be given voluntarily, without any pressure or influence.

2. Specific: Consent should pertain to a particular instance of data processing and not be a blanket approval outside of the data subject's wishes.

3. Informed: The data subject should have a full understanding of the data processing activity, including who is collecting the data, why, and how it will be used.

4. Unambiguous: The data subject's acceptance must include a clear affirmative action, indicating a deliberate decision to allow their data to be processed.

Each feature is integral to the validity of explicit consent.

In certain areas of data handling, your explicit permission is not just a courtesy—it's a legal requirement.

These situations often include the handling of sensitive data such as medical records or transferring your personal information across borders. Here are some other scenarios that require explicit consent:

1. Processing of sensitive personal data

2. Data transfers to countries outside the EU/EEA

3. Automated decision-making and profiling

4. Marketing communications

5. Online tracking and cookies

6. Children’s data

7. Healthcare services

Consider this common scenario: a user wants to download a resource from a website. It may be an eBook, a webinar registration, or some other downloadable file.

They enter their name and email address and tick a box that allows the organization to send them the resource.

After they've consumed the resource, they notice that they are still getting daily emails from the company. This exchange has already broken two rules of explicit consent.

The organization was not specific - they didn't mention they would continue emailing the data subject after sending them the resource. Therefore, the data subject was not informed that they'd be added to an email list and spammed until they opted out.

Many of these errors aren't malicious, but simply a result of poor training and negligence. To avoid these errors, let's look at some best practices to obtain explicit consent that don't violate GDPR guidelines or put your company at risk.

Use simple, straightforward language that is easy to understand. Avoid legal jargon and technical terms.

Example: Instead of saying, "Data subject consents to the processing of their personal data," use "You agree to us using your personal information."

Clearly state the purpose of the data collection and use. Take care to go above and beyond to make sure the data subject knows what you'll be doing with their data.

Example: "We collect your email address to send you our weekly newsletter. We will not use your email for any other purpose."

Separate consent requests from one another. Make sure each is distinct and not bundled with other terms, conditions, or requests.

Example: Have a separate checkbox for consent to data processing, not combined with terms and conditions acceptance.

Consent must be given freely without any pressure or feeling of compulsion. The form should allow users to opt-in rather than opt-out.

Example: Use an unchecked opt-in box for marketing emails, rather than a pre-checked box.

Make opt-out consent easy. Clearly articulate that the user can withdraw their consent at any time and explain how they can do this.

Example: "You can unsubscribe from our newsletter at any time by clicking the 'unsubscribe' link at the bottom of every email."

If you share data with third parties, clearly state this in the consent form and name the parties.

Example: "We share your data with XYZ analytics for improving our services. For more information, please read our privacy policy."

Use a consent management platform to keep records, regularly review consent preferences to ensure they are still valid, and make updates if anything changes.

Example: If you update your data use policy, re-obtain consent with the new policy details.

Ensure your consent form is accessible to people with disabilities.

Example: Use high contrast colors for text and background, and ensure screen reader compatibility.

Once you've acquired consent, your job isn't over.

Properly managing and maintaining consent over time is critical to ensure your business complies with data privacy regulations and respects user preferences.

This includes regularly reviewing consents and providing straightforward methods for users to withdraw their consent.

Here are some best practices for managing and maintaining personal data over time.

Keep detailed records of when, how, and what consent was given by each user. This documentation should include the specific details of what the user was told at the time of giving consent.

Example: Implement a consent management platform that logs the date, method, and specific content of the consent provided.

Inform users promptly if there are changes in the way their data is being used or if new data processing activities are introduced that require additional consent.

Example: Send an email notification or in-app message informing users of changes to your data processing policies and seeking new consent where necessary.

Provide users with an easy way to view and manage their consent preferences.

Example: Include a dedicated section in the user's account settings where they can see their current consents and adjust them as needed.

Re-obtain consent at regular intervals, especially if there are significant changes in your data processing practices or as required by law.

Example: Prompt users to renew their consent every two years or when significant changes to data use policies occur.

For more insights on managing consent over time, check out Deloitte's insights on Consent & Preference Management (CPM).

Under the General Data Protection Regulation (GDPR), you must ensure any personal data you process relies on one of six legal bases.

You may process data if:

1. Consent: The individual has given clear explicit consent for processing their data for a specific purpose.

2. Contract: Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3. Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).

4. Vital Interests: You need to process the data to protect someone’s life.

5. Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6. Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s data which overrides those legitimate interests.

Each of these bases has its own set of conditions and requirements, and organizations must establish and document the legal basis for each data processing activity. The choice of legal basis will depend on the specific context and purpose of the data processing being undertaken.

When you fail to comply with consent regulations, particularly those concerning GDPR, substantial legal and financial repercussions can occur, impacting your business operations. These include:

• Administrative Fines

• Reputational Damage

• Litigation Costs

• Operational Disruptions

By understanding and rigorously following data protection and consent regulations, you can avoid these costly and damaging consequences.

A: Explicit consent is a form of consent that requires a clear and specific agreement to the processing of personal data. It must be given freely and unambiguously by the data subject, often through a written statement, including electronic means, or an oral statement. This type of consent is particularly necessary for processing sensitive personal data and in situations where there is a significant impact on the individual.

A: Explicit consent differs in its level of specificity and the clarity of the agreement. Unlike implied or general consent, which can be inferred from actions or context, explicit consent requires a direct and unmistakable action by the individual, indicating their agreement to the processing of their data for specified purposes.

A: Under GDPR, explicit consent is important as it ensures that individuals have a clear understanding and agreement on how their personal data is used. This is especially crucial for processing sensitive data and for transparency and the protection of individual rights in the digital age.

A: An organization can obtain explicit consent by providing a clear, concise, and easily accessible form that outlines the purpose of data collection and use. This form should require a deliberate action to indicate consent, such as ticking a box or signing a document, and should not contain any pre-checked boxes or implied consent.

A: Yes, individuals have the right to withdraw their consent at any time, and it should be as easy to withdraw as it is to give. Organizations must inform individuals of this right and provide an easy and straightforward mechanism for withdrawal.

A: Failure to obtain explicit consent where required under GDPR can lead to significant penalties, including hefty fines. It can also damage the trust and reputation of the organization, leading to a loss of customer confidence.

A: No, explicit consent is not always necessary. There are other legal bases for data processing under GDPR, such as contractual necessity, legal obligation, vital interests, public interest, or legitimate interests. However, explicit consent is particularly important for processing sensitive personal data or for activities like direct marketing.

A: Yes, GDPR applies to all personal data held by an organization, even if it was collected before the regulation came into effect. Organizations must ensure that the consent for this data meets GDPR standards, and if not, they must re-obtain consent or find another legal basis for processing that data.

A: Under GDPR, children can give their consent about information society services (like social networks) if they are at least 16 years old (or a lower age if provided for by member state law, but not below 13 years). For children below this age, consent must be given or authorized by the holder of parental responsibility.

In summary, explicit consent under the General Data Protection Regulation (GDPR) is a key component in maintaining data privacy and protection.

Here are the key takeaways:

Essence of explicit consent: It requires clear, informed, and unambiguous agreement from individuals, particularly when processing sensitive data.

Differentiating consent types: Explicit consent is distinct in its need for specificity compared to other consent forms like general or implied consent.

Compliance practices: Organizations must adhere to GDPR by creating transparent consent forms, allowing easy withdrawal of consent, and regularly managing and updating consents.

Legal and ethical significance: Failing to comply with explicit consent guidelines can lead to legal penalties and damage to reputation and trust.

The importance of explicit consent extends beyond legal compliance; it embodies ethical data practices, empowering individuals and fostering trust.

In our data-driven world, respecting personal data through explicit consent is both a legal necessity and a moral imperative -- It's also fundamental for building a transparent and respectful digital environment.

For when your legacy solution relies on static site scans, requires tedious maintenance, and still leaks unconsented data. Transcend Consent Management collects consent and automates enforcement across every interface, from websites to mobile apps, offering your organization:

• Continuous detection of 200+ kinds of trackers across every inch of your site.

• Automatic network-level enforcement–no manual tag manager configuration.

• Out of the box support for IAB TCF, Google Consent Mode, and Do Not Sell (eg. Meta LDU).

Reach out to learn more.