Join David Booth for an in-depth discussion in this video Managing consent, part of GDPR for Marketers.
Not very consumer-friendly. But under GDPR, consent cannot be implied. And to comply, you must seek, obtain, and record explicit consent according to these new guidelines. To comply with the GDPR, at a minimum there's a few things you're going to have to do. First, when you're obtaining consent, you need to use clear and plain language, and you need to place your message prominently where it can't be confused with anything else. That means no hiding it in the fine print, no pre-checked boxes a user might simply gloss over on the way to a different objective.
Have any tracking installed from any of your online advertising platforms? Get consent again. And if two months from now you want to run a new promotion and track who downloads that new coupon, you'll need consent yet again. And if consent is denied at any point, you'll need to stop all of your processing activities immediately. Beyond denying consent in the first place, data subjects will also need to have access to a way in which they can withdraw their consent at any time. And if they do, you'll again need to stop any data processing that you're doing.
Next, children under the age of 16 can't give consent. That consent needs to come from a parent or guardian. And you'll need to be able to record it as such in order to be compliant. The guiding principle around consent is that you'll need to ask for, receive, and record consent everywhere it's needed and anytime you do something new. Different organizations are taking different approaches to exactly how this is going to be managed. And you'll need to make your own decisions here. In the online space, there are many that are adopting modals, or those little pop-up windows that appear on a website, as a form of explaining to users exactly what's being collected and why, and ultimately asking for that clear and unambiguous consent.
You might be able to do this with in-house programming teams, or you might rely on third-party agencies and partners. Or you might choose to leverage technology vendors that offer these features in their products. Some organizations are going so far as to implement entire back-end systems that allow users to view and change consent settings at any time, and while they're there, browse all the personal data an organization has on them, making changes or even erasing themselves in a self-serve fashion. Whatever you choose to do in order to request, obtain, and retain records of consent, it will require some time, effort, and possibly some money to get compliant.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.