Under the GDPR, there are numerous hoops you must jump through in order to obtain it. That’s the bad news, but you will have to get your practices in line or you risk having to pay exorbitant fines.
This is great news for the regular users who will now have more control over how their data is used. The most hard-hit will be those services who used to obtain consent by pure trickery and then used their users’ data for less savoury purposes. This shouldn’t impact all the trustworthy companies who should still have no trouble obtaining consent, but they too will have to introduce certain changes.
The time-tested adage that learning from someone’s mistakes is the best – and the cheapest way – of learning still rings true. That’s why we’ll give you an overview of what not to do when preparing your consent forms.
The GDPR makes it clear as day: Unless a person explicitly ticks the box signifying consent, they didn’t actually consent. There’s no two ways around it!
For example, a pre-ticked box saying “I agree to use of my personal data by your company” in size-8 font coupled with a huge ‘Proceed’ button just doesn’t cut it anymore. This is considered dishonest and trickery – and it could cost you dearly if you get reported to the supervisory authorities!
Remember, silence also doesn’t constitute consent. You cannot simply consider that consent has been given by slapping a disclaimer onto a dialogue box. Implied consent is also not enough in a vast majority of cases. No can do!
But you shouldn’t be like that. If not for taking the moral high ground, then at least for the sake of your own wallet – the fines for unlawful processing can go as high as EUR 20 million or 4 percent of your company’s global annual turnover, whichever is higher.
That’s why it’s important to clearly explain the consequences of consent – in plain, simple language – right next to the consent dialogue box, not in some well-hidden, asterisk-laden ToS.
Just to illustrate how impractical these policies and terms are, a study performed by Lorrie Cranor, a professor at Carnegie Mellon, showed an average person would spend 6 work weeks a year (201 hours) just on reading privacy policies of websites they visit.
3. Blanket Requirements
When a person consents to your use of their information, they are consenting only to the operations you have explicitly described during the consent process. The consent is, therefore, specific and limited. You must clearly explain to your users what you are planning to do with their data, since the law stipulates that consent be informed.
And no, you cannot write that their data can be used for all purposes as you see fit. Well, technically you can, but good luck obtaining consent and explaining that requirement of yours to the regulatory authorities.
However, the law is sensible enough to allow you to perform processing if the subsequent data processing activities are very similar to those the individual had agreed for and if it is reasonable to expect that such processing would take place. It must also not present any additional risks to the person whose data you are processing. Make sure to keep good records of your processing activities as well, so you can prove you are in the clear.
What you do with others’ data is not only your business, for better or worse. One of the major stakeholders in your processing activities are, of course, the individuals whose data you process. They have the right to know – at any time – what is being done with their data, and you must answer their queries.
And unless required for performance of a contract or a law, when asked by the individual to do so, you must delete all their data you have on hand – and, of course, cease with any further processing. The GDPR requires that you answer all user requests for transparency in a timely manner, within a month at the latest.
As best practice, it is recommended, although not mandatory, to renew consent from time to time – every two or three years, for example.
You always have to provide contact details for your privacy department in case of disputes, where individuals can contact you.
If the user feels you haven’t done all you could have regarding their request, they can contact the local supervisory authority and appeal to them. The authority may then investigate the issue further. You do not want to be caught red handed or without evidence of proper conduct.
That’s why it’s important to keep records of all your processing activities, as well as your communication with all individuals. Very determined individuals can even take you to court regardless of the opinion of the regulatory authority.
5. Everyone is 18+
If a website contains adult content, there must be some kind of a verification mechanism to help prevent minors from being exposed to such content (although the efficacy of such systems is dubious at best). But, the age limits apply to other, non-adult sites, too.
The US has a long-standing tradition of barring children younger than 13 from using their services. This is because younger users cannot use the sites without parental consent, the verification of which is cumbersome and next to impossible.
The GDPR sets this bar at 16 years old, but national laws can reduce the age to no lower than 13 years. In any case, children and teenagers can simply lie and there are no reasonable and cost-effective ways to prevent that, but at least you can show that you tried.
Of course, if it is painfully obvious the user is indeed younger, their accounts should be deleted or verification demanded – usually in form of parental ID or similar (which, again, can be easily circumvented by creative tweens).
These tips should help you on your way to ensuring GDPR compliance. However, it’s a long road and some help along the way could prove to be useful. Getting an outsourced data protection officer could be a cost-effective way for a worry-free privacy environment, while keeping costs manageable at the same time.