Consider these types of data, they are very different and have different purposes.
- Data captured when consuming web sites
- Personal data
In the main, web site data is anonymous. Most web sites record access statistics and site navigation data. It is unlikely that personal data will be captured as a result of browsing alone.
Personal data is usually provided voluntarily, captured using web forms, over the phone or in store. Activities like placing orders, subscribing to mailing lists or making bookings all include some personal data.
Asking a person for consent to use their information, for other purposes, has been around for many years now. In the UK, the need for consent came into place with the Data Protection Act 1998. At this time we were presented with boxes to tick if we didn’t want to receive further marketing material or contact. Web sites may have asked us if tracking data could be kept.
All well and good, but what did it mean?
Giving consent for any of our personal data was often taken as agreement that it could be used in whatever way the company wished. Our data could be sold on to third party suppliers, provided for research projects, any number of things of which we weren’t aware.
Along came GDPR
With the introduction of the General Data Protection Regulation (GDPR), in May 2018, the way our personal data should be kept and used has changed. We’ve seen some improvement on the collection of consent. We now have to tick boxes if we want to receive further marketing material, web sites are popping up consent messages more often and starting to show us more detail on the types of data being collected. Opting in is now becoming the ‘norm’.
So, what’s the problem?
It is clear that more needs to be done. Whilst the request for consent is more apparent now, there are still many cases where the defaults for consent are incorrect. Consent should be implicitly set, not assumed. Web sites should not prevent access if consent isn’t approved. Consent isn’t approval to access the site. Consent should always be freely given, be for a specific purpose and the request unambiguous. Privacy Policies should be clear and not be used as an attempt to cover up misuse of data, avoid the use of vague wording “company may make your details available to our partners”.
As soon as personal data is captured, in a web based form, is it clear how this data will be used? Is there clarity on how the consent for cookies applies to the personal data now collected?
Giving consent isn’t the whole picture
Consent should be as easy to withdraw as it is to give. Once captured in web site cookies it should be clear and easy to remove the consent previously given. Consent for internal or third party marketing should also be as easy to reverse. Responding to Subject Access Requests (SAR) in a timely manner, and taking action when requested to remove consent, are just as important as collecting the consent in the first place.
What should be done?
Don’t get caught out with fines for lack of transparency or failure to obtain valid consent.
- Ask yourself what you are processing and why.
- Be clear on how data will be used.
- Don’t hide consent in with other things, legitimate interest for example.
- Keep records to evidence consent – who consented, when and how. What they were told.
- Make it easy for people to withdraw consent at any time they choose.
- Keep consents under review and refresh them if anything changes.