What GDPR Means for Consent
Thus far in our Insights series on GDPR, we’ve outlined the basic history and goals of the regulation as well as explained what the new law means for businesses who work with third-party vendors. In this third and final article of the series, we’ll address critical guidance related to how companies obtain consent from individuals as well as how consent applies to a business’ website cookies.
Consent Under GDPR
Consent is an incredibly important component of the new GDPR law. Extending beyond the confines of its predecessor, the EU Privacy Directive, GDPR requires that businesses acquire consent that is “freely given, specific, informed and unambiguous”. In other words, while previous data protection regulations permitted companies to implement “opt-out” procedures for data collection, under GDPR, businesses need to convert to an “opt-in” method, which requires that individuals provide “a statement or a clear affirmative action” indicating their consent with sharing their personal data.
Businesses must also provide individuals with the ability to withdraw consent at any time. Even after previously providing consent, there must be a mechanism in place to allow individuals to alter their choice and remove their data from a company’s records or databases. The means for opting-out or unsubscribing should be well-defined for users; that includes ensuring any and all marketing emails contain an “unsubscribe” link.
For certain personal criteria, GDPR requires “explicit” consent. This criteria includes race or ethnicity, political affiliations or opinions, religion, sexual orientation, genetic and biometric data and trade-union membership.
Consent and Website Cookies
Adding another layer of depth to GDPR’s consent standards are the compliance obligations related to website cookies. Essentially, GDPR stipulates that if a cookie can identify an individual– which is most often the case since cookies generally track a user’s IP address – then it is considered personal data and must be protected under GDPR.
Quick Consent Tips
To be clear, regarding consent, businesses should be sure to:
- Transition from an “opt-out” to “opt-in” method;
- Update Privacy Policies to reflect GDPR requirements, including outlining how individuals’ personal data is processed and/or maintained; and
- Ensure users who visit your website have the ability to withdraw consent at any time.
For more information on meeting GDPR obligations, please connect with us.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.