Explicit consent is about giving customers control over how and where their data is used. It is about applying clarity so that they know what they are agreeing to. That sounds so straightforward, but there has to be a trickier aspect to it, right? Absolutely! Read on…
Welcome to the next in my series of GDPR posts exploring the practicalities of the GDPR in the client-agency relationship. You can view my previous posts here.
This time around, I’m going to explore one of the cornerstones of the GDPR, explicit consent, unravelling what this means and the implications for digital projects for both clients and agencies.
What Is It?
Under the current directive, the rules around consent are a little flexible, to say the least. Companies can be smart with wording and use “opt-outs” and implicit consent to swiftly enroll customers up to various newsletters and email campaigns. Generalized consent requests can be used to sign them up to any number of subscriber lists, resulting in a barrage of emails flooding into their inbox every day.
That is all changing under the GDPR. Explicit consent is key in obtaining anyone’s details. It can be broken down into these components:
- Explaining to the customer what data you are capturing (the nature of the data)
- Explaining to the customer why you are capturing that data (the purpose of the data)
- Explaining to the customer who is requesting that data (the identity of the Data Controller) and who else will have access to this data
The end result is that the customer completely understands what data you want and what you plan on doing with it. The customer can then give you unambiguous consent.
However, the tricky part is that the consent they give you only applies to the purpose you have explicitly declared. In the past, you could grab the email address once and then reuse it across campaigns and newsletters alike. This is no longer the case. If you have captured the email for a newsletter, then you have to ask for explicit consent again for the email campaign, and so on.
To make it even trickier, you then have three more considerations:
- You should only hold the data for as long as you need it to achieve the purpose you declared to the customer.
- You need to get higher levels of consent for sensitive personal data.
- The age of consent differs from country to country, but if your customer is below the age of consent, then parental authorization is required.
All of this sounds like a lot of hard work and there are many claiming that it is going to harm new business activities and restrict the number of people you get through the door. However, the flip side is that those who do give you consent are likely to be more engaged.
Having said all of that, there are a few instances where we should not seek explicit consent—typically where there is a lawful basis to obtain the data, e.g., a contract with the individual, compliance with a legal obligation, vital interests.
That’s explicit consent in a nutshell, but what does that mean for your digital projects?
The first area for consideration is user experience. Explicit consent isn’t something that can be casually slipped in. It will have a big impact on user experience design.
We can’t get away with simple, general statements or links off to other pages. We have to be explicit and clear, which means presenting the customer with this information before they give you the consent. They shouldn’t have to work to find the information. It should be right there.
At a high level, this can be boiled down to two streams—one for the client (Data Controller) and one for the agency (Data Processor).
From the client’s perspective, the content is key. You have to be completely transparent with the customer but this can lead to bloated copy and can detract from the user experience. As the Data Controller, the client knows why the data is being captured. Working with the Data Protection Officer (and potentially Legal Counsel), the client can produce clear and concise copy for the site.
The agency needs to consider the user experience design. Having clear and concise copy is all well and good, but we need to be smart in how we tackle the user experience design. The shift from implicit consent and opt-outs to explicit consent will bring some disruption to the typical user experience design patterns. The challenge is to cover compliance while ensuring that we retain simplicity from the customer’s perspective.
Creating the best possible user experience requires both streams to occur in parallel with the client working closely with the agency to deliver the best solution.
The starting point is to identify areas of the site where you are requesting consent from the customer, e.g., sign up for newsletter, gated downloads, etc. Each area can then be discussed in detail to understand why you are collating that information and how it will be used, which can then in turn inform both the copy and the user experience design. You’ll also need to factor in your customer base to check whether you are dealing purely with those over the age of consent or whether there are individuals under the age of consent who require parental authorization. This will have an impact on what needs to be displayed and the sorts of controls you will need.
With the user experience successfully nailed, the next step is to consider the technical implementation. The route you take will depend on your choice of content management system/customer experience management system, or, in the case of those bespoke projects, the technology used to craft the solution.
For those projects built around content management systems, much of the work should be handled by your software of choice (as under the GDPR, software has to help support compliance or it is technically not allowed for use). The agency (Data Processor) will understand the system (they are building in it) and can explain the functionality on offer from the software that supports GDPR compliance. The key thing to note is that the software may not get you complete compliance, so it is important to discuss this with the agency (Data Processor) to understand the functionality provided in relation to explicit consent and whether there is any custom work required.
For those projects built around bespoke solutions (e.g., written from scratch), all of this will need to be implemented by your agency (Data Processor). Start the conversation with your agency to understand what is in place and what functionality is required to achieve GDPR compliance.
In both cases, you need to consider all of the scenarios where explicit consent may be required. This can include profiling performed by Google Analytics, profiling performed by marketing software, contact forms, newsletter subscriptions, campaign subscriptions, and gated downloads. Each one will need to be tackled separately to make sure your request for consent is covered clearly and unambiguously. And, above all, an audit trail is a must.
Once again, this can become even more complex when you factor in the age of consent and the need for parental authorization. Make sure you clearly understand your customer base and whose data you hold.
When it comes to explicit consent, there’s an additional consideration and something we need to factor into the set of processes and guidelines that we are assembling. This all ties back to the rights afforded to customers by the GDPR.
Aside from simply obtaining the consent, we also need to be able to give individuals access to their personal data upon request—to view it, rectify it, or even withdraw consent. This has a direct impact on the technology you are using and what it allows. The agency will understand what is possible and what needs to be in place to allow this access.
However, technical implementation aside, you will also need a supporting process that follows through from the request for access to the customer actually accessing their data. This same process should also allow for customers to request rectifications to their data if they find data that is inaccurate or incomplete.
There’s a lot to consider with explicit consent and some specific challenges to be tackled. It is one of the bigger challenges under the GDPR but, if done successfully, builds a solid foundation.
In my next post in the series, I’ll be exploring the “right to be forgotten” and what this means for clients and agencies.
For a summary of all of the topics covered in my blog post series, you can view a recording of the GDPR webinar I hosted here.
As always, I am very interested in your experience of the points raised in this article. Please share any feedback or comments you may have in the section below. The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.