BBB Publishes Post About ‘GDPR-Style’ Consent
The Better Business Bureau has recently published a post for U.S. companies about consent under the EU General Data Protection Regulation.
From ecommerce and targeted advertising, to online lead generation, digital marketing often centers around the processing of personal data. The BBB post distinguishes between soft “consent” (e.g., an online buyer-seller relationship) and legal consent under the GDPR.
In the latter context, the BBB reiterates that consent cannot be implied. The post states that it is “explicit, affirmative, opt-in permission” to process the subject’s personal data. This stronger type of consent may not always be required to process data legally. For example, requiring a consumer to check a box next to the words “I consent to your collection and use of my physical address for purposes of delivering my shoes.” However, obtaining a consumer’s affirmative consent to process her address for purposes of ongoing marketing communications is a different situation entirely.
According to the BBB, even though GDPR-style consent is not always legally required, it reminds marketers that it is critical to understand what to consider during the design and assessment of internal privacy processes.
The BBB post discusses that for consent to be valid, the data subject must affirmatively opt-in to the sharing of their data for a particular purpose. Why you are collecting the data and how it will be used should be described with specificity. Be transparent and inform consumers who will be relying upon such consent.
A good rule of thumb is to ask yourself whether the consumer understood how her data will be used when she provided her consent. The BBB also reminds marketers that consent is ongoing and subject to withdrawal. The GDPR guarantees a right to withdraw consent to processing. Importantly, the BBB posts points out that “[i]f consent withdrawal doesn’t make sense in the context of the purpose for which you are processing the data, consent is probably not the best legal basis for your processing.”
Consent must also be designed to be informed, intelligible and easily accessible via the use of clear and plain language. It should never be bundled with other terms.
The BBB post also discusses that data subjects must say or do something – affirmatively- to indicate their consent. Opt-in mechanism should be designed to eliminate ambiguity.
Consult with a data privacy lawyer to discuss emerging trends and compliance obligations for Internet marketers, including when consent is required under the GDPR.
According to the BBB and Richard B. Newman an FTC compliance and defense lawyer at Hinch Newman LLP, for non-sensitive data, consent may be merely one possible legal justification for processing. If no meaningful means for the data subject to withdraw the consent can be provided, consent is probably not the best basis by which to justify processing data. Special categories of data require consent be obtained. The GDPR requires that consent from a parent or legal guardian be obtained if consent is relied upon as the lawful basis for the processing of children’s data.
See the BBB post, here.
Richard B. Newman is an FTC compliance attorney at Hinch Newman LLP. He is a member of the International Association of Privacy Professionals, and advises Internet marketers and advertisers about legal requirements related to national direct marketing campaigns. Follow him on LinkedIn at FTC defense lawyer.
Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.