As a US Company operating domestically, you might not be worrying too much about the European Union’s General Data Protection Regulation (the “GDPR“), scheduled to go into effect in May of 2018. However, if you are collecting EU consumer data, you would be wise to plan ahead and adapt because the financial penalties for non-compliance are very significant. The GDPR applies to any entity that processes personal data about an EU resident in connection with the offer of goods or services in the EU or the monitoring of behavior in the EU. Even if you never set foot on European soil, If your activities fit this description, this law might apply to you.
In general, the GDPR sets a high standard for consent. The goal is to offer people genuine choice and control over how their personal data is used. Specifically, the GDPR defines consent as, “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” It goes further than prior regulations in that it also requires keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract. So, what exactly is required for consent to be valid under the GDPR? What exactly is “informed and unambiguous” consent? What is “clear affirmative action?” In early March, the Information Commissioner’s Office, the United Kingdom’s independent body which regulates privacy rights in the United Kingdom (the “ICO”), offered some clarity. According to the ICO, valid consent must be:
Unbundled. This means consent must be separate from other terms and conditions and may not be a precondition of signing up to a service unless necessary for that service.
Active. Pre-ticked opt-in boxes are not valid. In contrast, unticked opt-in boxes or similar active opt-in methods (for example, a binary choice given equal prominence) are sufficient. The key point here is that all consent must be opt-in consent. Failure to opt out will not be considered consent.
Granular. There must be separate consent options for different processing operations and different purposes. If purposes or activities evolve beyond what was originally specified, consents will have to be renewed.
Named. Organizations and any third parties relying on consent must be precisely named (categories will not be sufficient).
Documented. Records must be kept to demonstrate what the individual has consented to, including what they were told and how they consented.
Easy to Withdraw. People must be informed of their right to withdraw consent and it must be easy to do so.
No Imbalance in the Relationship. Consent cannot be freely given if there is an imbalance in the relationship between the individual and the controller.
Can Companies Continue to Use Previously Collected Data? For those companies wondering whether they can continue to use data obtained prior to the effective date of the GDPR, the answer might not be the one you want to hear. While there is no need to repaper consents that meet GDPR standards and are properly documented (provided that mechanisms are added to make withdrawal of consent easy), if existing consents don’t meet GDPR standards or are poorly documented, you will need to seek fresh, compliant consent for your processing or stop processing altogether.
What Are the Penalties for Non-Compliance? Companies who rely on invalid or inappropriate consent may find themselves open to substantial fines under the GDPR which states that infringements of the basic principles for processing personal data, including conditions for consent are subject to administrative fines which could be as large as 20 million Euros (approximately 21.6 million dollars), or 4% of your total revenues, whichever is higher.
For US Companies used to a little more freedom and flexibility around the collection and use of personal data, if European Data is being collected, those days may be gone. The implementation of systems that comply with GDPR will require technical and administrative changes that may be costly and may take time. However, because the penalty for non-compliance is so great, it is important that plans are made to ensure compliance before the GDPR becomes effective.