Welcome to the fourth in my series of GDPR posts exploring the practicalities of the GDPR in the client-agency relationship.
This time around I’m going to explore one of the cornerstones of the GDPR, explicit consent, unravelling what this means and the implications on digital projects for both Data Controllers (clients) and Data Processors (agencies).
What is it?
Under the current directive, the rules around consent are a little flexible to say the least. Companies can be smart with wording and use “opt-outs” and implicit consent to swiftly enrol you onto various newsletters and email campaigns. Generalised consent requests can be used to sign you up for any number of subscriber lists, resulting in a barrage of emails flooding into your inbox every day.
That is all changing under the GDPR. Explicit consent is key in obtaining anyone’s details. It can be broken down into these components:
- Explaining to the customer what data you are capturing (the nature of the data)
- Explaining to the customer why you are capturing that data (the purpose of the data)
- Explaining to the customer who is requesting that data (the identity of the Data Controller) and who else will have access to this data
The end result is that the customer completely understands what data an organisation wants and what it plans on doing with it. The customer can then give unambiguous consent.
However, the tricky part is that the consent they give only applies to the purpose that has been explicitly declared. In the past, it was possible for an organisation to grab an email address once and then reuse it across campaigns and newsletters alike. This is no longer the case. If data has been captured for a newsletter, then explicit consent also needs to be gained for the email campaign and so on.
To make it all the more tricky, there are then three more considerations:
- Data can only be held for as long as an organisation needs it to achieve the purpose declared to the customer
- Higher levels of consent need to be gained for the sensitive personal data that I covered in my second post in the GDPR series
- The age of consent differs from country to country but if a customer is below the age of consent then parental authorisation is required
All of this sounds like a lot of hard work and there are many claiming that it is going to harm new business activities and restrict the number of people that brands get through the door. However, the flip side is that those who do give consent are likely to be more engaged.
Having said all of that, there are a few instances where explicit consent should not be sought - typically where there is a lawful basis to obtain the data, e.g. a contract with the individual, compliance with a legal obligation, vital interests.
That’s explicit consent in a nutshell but what does that mean for digital projects?
The first area for consideration is user experience. Explicit consent isn’t something that can be casually slipped in. It will have a big impact on user experience design.
We can’t get away with simple, general statements or links off to other pages. We have to be explicit and clear which means presenting the customer with this information before they give the consent. They shouldn’t have to work to find the information. It should be right there.
At a high level, this can be boiled down to two streams – one for the client (Data Controller) and one for the agency (Data Processor).
From the client’s perspective, the content is key. You have to be completely transparent with the customer but this can lead to bloated copy and can detract from the user experience. As the Data Controller, the client knows why the data is being captured. Working with the Data Protection Officer (and potentially Legal Counsel), the client can produce clear and concise copy for the site.
As an agency, you’ll need to consider the user experience design. Having clear and concise copy is all well and good but we need to be smart in how we tackle the user experience design. The shift from implicit consent and opt-outs to explicit consent will bring some disruption to the typical user experience design patterns. The challenge is to cover compliance while ensuring that we retain simplicity from the customer’s perspective.
Creating the best possible user experience requires both streams to occur in parallel with the client working closely with you to deliver the best solution.
The starting point is to identify areas of the site where consent is being requested from the customer, e.g. sign up for a newsletter, gated downloads, etc. Each area can then be discussed in detail to understand why that information is being collated and how it will be used which can then, in turn, inform both the copy and the user experience design. The customer base that a brand has needs to be factored in to check whether it is purely those over the age of consent or whether there are individuals under the age of consent who require parental authorisation. This will have an impact on what needs to be displayed and the sorts of controls needed.
With the user experience successfully nailed, the next step is to consider the technical implementation. The route that an organisation takes will depend on the content management system/customer experience management system, or, in the case of those bespoke projects, the technology used to craft the solution.
For those projects built around content management systems, much of the work should be handled by the software of choice (as under the GDPR software has to help support compliance or it is technically not allowed for use). As the agency (Data Processor), you will understand the system and will be able to explain the functionality on offer from the software that supports GDPR compliance. The key thing to note is that the software may not achieve complete compliance so it is important to discuss this with the client (Data Controller) to ensure they understand the functionality provided in relation to explicit consent and whether there is any custom work required.
For those projects built around bespoke solutions (e.g. written from scratch), all of this will need to be implemented by you, the agency. Start the conversation with your client to understand what is in place and what functionality is required to achieve GDPR compliance.
In both cases, all of the scenarios where explicit consent may be required will need to be considered. This can include profiling performed by Google Analytics, profiling performed by marketing software (Kentico EMS, Marketo, Acquia Lift, HubSpot, Pardot, etc.), contact forms, newsletter subscriptions, campaign subscriptions and gated downloads. Each one will need to be tackled separately to make sure any request for consent is covered clearly and unambiguously. And, above all, an audit trail is a must.
Once again, this can become even more complex when you factor in the age of consent and the need for parental authorisation. Make sure you and your clients clearly understand your customer base and the data held.
When it comes to explicit consent, there’s an additional consideration and something we need to factor into the set of processes and guidelines that we are assembling. This all ties back to the rights afforded to customers by the GDPR.
Aside from simply obtaining the consent, we also need to be able to give individuals access to their personal data upon request - to view it, rectify it or even withdraw consent. This has a direct impact on the technology being used and what it allows. You will need to speak to your clients to ensure they understand what is possible and what needs to be in place to allow this access.
However, technical implementation aside, a supporting process is also needed that follows through from the request for access to the customer actually accessing their data. This same process should also allow for customers to request rectifications to their data if they find data that is inaccurate or incomplete.
There’s a lot to consider with explicit consent and some specific challenges to be tackled. It is one of the bigger challenges under the GDPR but, if done successfully, builds a solid foundation.
In my next post in the series, I’ll be exploring the “right to be forgotten” and what this means practically for clients and agencies.