GDPR Consent for Existing Customers

Share this article on:

With less than a month to go before the introduction of the General Data Protection Regulation (GDPR), many companies are wondering whether they need to request consent from their existing customers in order to process or continue processing their data. There are a number of conditions that must be met for consent to be valid under the GDPR. These include consent having been given freely by an informed individual for a specified purpose.

On a superficial level, these are the same as the criteria which must be followed under the existing law. As a result, many organizations may feel that their user and customer consent does not need to be reviewed. However, the GDPR makes some amendments to how consent can be acquired, given, or implied. It is important that groups make note of these additional requirements when assessing the consent of their existing customers and when requesting consent from new and future customers. Below, we review some of the more important aspects that must be respected. If these have not been applied, existing consent may not be valid and the company may be non-compliant.

Consent as a Stand-alone Action

Under the GDPR, consent cannot be gathered from users as a result of them agreeing to the general terms and conditions of a service, it must be separately requested. Article 7, Consent, states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.

As well as this, there will be greater scrutiny of what constitutes “freely given” consent. If a contract or use of a service is conditional on consent being given to process personal data that is not required for the performance of the contract or use of the service, it may be determined that the consent was not freely given and is therefore not valid.

Pre-Checked Acceptance Fields and Silence are Not Acceptable Forms of Acquiring Consent

The Regulations state that “consent should be given by a clear affirmative act”. It must be an action or something else that is consciously and deliberately done by the individual. This means that, for example, someone telephoning a company cannot be informed that the conversation will be recorded and that by staying on the line they agree to the recording; they must actively verbally agree to it, or take some action such as pressing a button to consent to the recording. Similarly, websites that have pre-checked fields or opt-in boxes giving consent are also not acceptable. The individual must take the action of checking the box or field themselves.

The Individual Must be Told Who Uses the Data

When giving consent, the individual must be informed of who will be making use of the data, in the interests of transparency. This includes the identity of the main data controller, but also any third parties that may eventually use the data. Article 13, Information to be provided where personal data are collected from the data subject, notes that data subjects should be informed, among other things, of “the identity and the contact details of the controller” and “recipients or categories of recipients of the personal data, if any”.

Consent Provided Must be Recorded

Coming back to Article 7, we find another common theme that runs throughout the GDPR: documentation. The controller must be able to prove they are compliant with the GDPR, and in the case of consent this means that “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.

Individuals Must be Easily Able to Withdraw Consent

Staying with Article 7 still, we see that data subjects must be allowed to withdraw their consent. Crucially, the law states that “it shall be as easy to withdraw as to give consent”. This means companies must put systems in place to facilitate withdrawing consent and ensure processing is halted upon such a revocation of consent.

GDPR Cold Emailing Rules

Many organizations that use cold emailing to reach out and contact new people are concerned that the General Data Protection Regulation (GDPR) will introduce rules prohibiting or strictly hampering the practice. When the GDPR comes into effect on May 25, 2018, these organizations can rest assured that, yes, cold emailing can still be used in compliance with the new legislation, but they will need to ensure that they are following the correct procedures when doing it.

Member State Laws May Differ

Even though one of the principal goals of the GDPR is to harmonize the rules regarding data protection and data processing across the EU member states, there may still be local exceptions or differences that must be taken into account. Every member state retains some liberty and a degree of discretion as to the laws they themselves implement that may affect how the GDPR is enforced. Groups should therefore verify the local legal requirements of the country or countries where they will be operating before collecting or processing data can occur.

Author: HIPAA Journal

Share This Post On