Making Sense of User Consent Under GDPRMaking Sense of User Consent Under GDPR

Among the many requirements of the EU's General Data Protection Regulation, U.S.-based companies that offer products or services to individuals in the EU or monitor their activities need to ensure that they are meeting new requirements for selling and marketing to those leads, prospects, and customers. One of the first things businesses now need to consider is whether there is a lawful basis for the collection, use, storage, and sharing of personal data about those target groups for sales and marketing activities.

While companies will need to rely on their legal advisors to determine whether they have a lawful basis, another important aspect is consent. Over the past decade, I have seen that managing consent is based not only on what the consent says, but on the practical aspects of seeking consent and managing individuals’ preferences as they change over time. For example knowing whether you can email conference attendees after you’ve scanned their badges or collect sales leads from website visitors that download a white paper.

Before looking into how to effectively address those situations, it’s helpful to first spend a moment understanding how EU regulators define "personal data," and what regulators consider to be "consent".

Identifiable data is personal data

The GDPR was designed with the goal of providing a greater degree of protection for individuals.

But what is personal data? According to EU regulators, personal data is any information relating to an identified or identifiable individual. While the definition of personal data in the EU has always been broad, GDPR now specifically references location data and online identifiers such as an IP address.  Among factors that may make information identifiable are those specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

So where does that leave U.S. companies seeking to perform their day-to-day business operations? Four key themes to keep in mind related to consent under the GDPR are:

Collecting contact information at trade shows

Under the GDPR, "[email protected]" is personal data, but "[email protected]" is not because an identifiable individual exists for the former by virtue of the name, but not the latter. One practical implication of this is whether it is now advisable to collect business cards at trade shows and industry conferences for the purpose of adding these individuals to a marketing database?  

Since user consent must be freely given, specific, informed and unambiguous [GDPR Article 4(1)], one practical approach is to use a form fill on an iPad or similar device at the trade show to use as a way to clearly capture and store consent.

Sales leads and the matter of downloads

How about offering whitepapers and other collateral on your corporate website in exchange for providing personal contact information on a registration page? Under GDPR, you need to be transparent at the time of collection about specific purposes for which the information will be used, stored, and/or shared. Spending the time to plan up front what you intend to do is more important than ever because any purposes that you don’t describe in your consent, in most cases, won’t be purposes that you will actually be able to implement with personal data under GDPR - and anonymization may be your only option.

Similarly, you couldn’t use email addresses obtained solely for contest entry purposes for marketing to the individual or sharing that information with partners, unless the user was informed and specifically agreed to those additional purposes.

Stale consents and marketing emails

Consents that are obtained through pre-ticked checkboxes won’t be valid under GDPR because they imply that the individual has not made an active choice. Instead, U.S. businesses need to evaluate their methods for obtaining informed consent.

A practice that works is to give individuals a clear explanation of how and why you plan to use the data before you collect it -- whether using videos, graphics, or simple statements -- and then ask them if they agree. Some innovative approaches include short animated videos and just-in-time graphic-enhanced descriptions to aid user understanding. A good rule of thumb is to ask whether you can supply a record of the time, date, and intake mechanism for instances when a data subject’s consent was captured. If the answer is no, and you cannot demonstrate consent, you may need to re-obtain GDPR-compliant consent.

EU regulators have made it clear that companies should be prepared for immediate enforcement and that there is no grace period when it comes to complying with the GDPR. The examples given are just a few to illustrate how the new regulation impacts U.S. business activities for selling and marketing to customers. To comfortably target EU customers, best practices that you should consider for your organization include establishing data management processes for collecting and processing customer and prospect data, implementing clear mechanisms for collecting freely given consent, and finally, an audit trail to demonstrate user consent should EU regulators come knocking on your door.

As CEO of TrustArc, formerly known as TRUSTe, Chris Babel has led the company through growth and transformation into a leading global privacy compliance and risk management solutions company. Before joining TrustArc, Chris spent over a decade building online trust, most recently in the security industry as senior vice president and general manager of VeriSign's authentication services business. Chris also previously managed VeriSign's SSL and managed security services business. He holds a BA in Mathematical Methods in the Social Sciences and Economics from Northwestern University.