Facing national privacy laws and the rising demand from consumers to maintain data privacy standards, businesses are enlisting privacy professionals to manage compliance. As reported by The Register, companies have already incurred fines for contacting data subjects without their consent. And with new privacy regulation on the horizon, the challenge of tracking consent and other privacy rights will only increase in difficulty.
Here are some tactical steps to ensure compliance for businesses impacted by the EU General Data Protection Regulation and California Consumer Privacy Act.
As stated by Article 7 of the GDPR, “the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.” Consent is required for processing and communication and is explicitly defined by the regulation to be in clear language and easily withdrawn.
Step 1: Identify where consent is required or relied upon
The first step in determining how your organization should handle consent is to identify where the consent is tracked and which programs or products rely on it. Once this is determined, companies must identify when and where this consent is required.
When tracking and recording consent, companies should keep the following records to maintain compliance:
- Name or another identifier of the user/data subject.
- Date/timestamp and method of consent.
- Corresponding privacy policy and consent requests copies, as per the time consent was acquired.
- Document or capture of data through which consent was acquired.
Step 2: Determine methods for obtaining consent and informing users of requirements
After identifying the processes reliant on consent, it’s crucial to determine and track methods for obtaining users’ consent. Article 7, “conditions for consent,” states “[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.” Article 7 requires companies to both track consent and be capable of demonstrating that consent has been given for any processing of the users’ personal data.
For companies, this means staying organized and ensuring that consent requests are kept separate from terms of service. Article 7 also requires that consent is “presented in a manner which is clearly distinguishable from the other matters” and further states that it should be in clear and plain language, free of any technical or legal jargon.
In addition to demonstrating consent, companies are required to provide adequate information to data subjects, including the:
- Controller’s identity.
- Purpose of processing operations.
- Types of data to be collected.
- Right to withdraw consent.
Step 3: Establish the process for withdrawal
As per Article 7(3), “The data subject shall have the right to withdraw his or her consent at any time.” Consent, according to the GDPR, must be as easily withdrawn as it is given. Possible methods for withdrawal could include a preference management tool, web application, unsubscribe links or email.
Step 4: Align records
To keep systems in compliance and have consent access where required, alignment among these systems is necessary. Synchronizing consent across systems enables each system to access data and potentially assist in other ways. If consent is tracked correctly, processing activities can have their requirements demonstrated easily and revoked if necessary for the withdrawal of consent.
Differences under the CCPA
Under the CCPA, data subjects have similar rights to access and deletion of their personal data as they do under the GDPR. Additionally, individuals under the CCPA have the right to require a business that sells personal data to a third party not sell that consumer’s personal information.
The current draft of the CCPA is narrower in certain provisions than the GDPR, including matters of consent. However, the CCPA states, “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” Due to the consumer’s rights, companies will still be required to manage and track consent requirements and personal data storage in case of a subject access request.
Why your business needs preference management
According to research by Litmus and Fluent, 67 percent of users unsubscribe after receiving too many or irrelevant emails. Further, Litmus states that “consumer’s inboxes are simply becoming too clustered.” And according to Deloitte, 93 percent of users want the right to delete personal data, and 71 percent have said they’re more open to sharing personal data if they have control. Simply put, businesses must adopt a more user-friendly approach for email communication.
Some companies attempt to solve overstuffed inboxes by providing a service that mass-unsubscribes users from email lists. However, users continue to suffer from waves of thousands of unsolicited emails each year, and this leads to upset users, unwanted spam filters and more downsides for businesses.
The modern, user-friendly solution for business clients is to use preference management. Preference management allows users to control their settings and enables businesses to track where and when consent is obtained and required. In this enablement, companies create transparency, an essential component of winning brands.
Multi-system preference management is a method of providing users access to their communication preferences, including marketing, sales and product update emails. Preference management ensures that users are content with the communication received and may include allowing previous customers to unsubscribe from emails, providing opt-in options to product updates, or creating a clear route to subscribing to marketing content/newsletters.
Preference management also enables organized and easily trackable consent. When users use corresponding reference forms or enter a webpage, consent is easily tracked across platforms and applied when necessary.
As companies face the rising demand to manage users’ privacy, from consumers and regulators alike, new tools and practices are emerging to meet these standards. Preference management is one of the many tools to keep users’ content and keep communication compliant.
photo credit: Pierre-Marie BROU Key on Board via photopin (license)