When does “yes” mean “yes”? That’s a serious question, as organizations around the world struggle to understand the impact of the European Union’s new General Data Protection Regulation (GDPR).
The Information Commissioner’s Office (ICO) in the United Kingdom put out a request for comment last month on draft guidance for customer consent requirements under GDPR, which takes effect in May 2018. Gigya accepted the challenge and filed a response. Here is how ICO defines the issue:
“The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data. When consent is used properly, it helps you build trust and enhance your reputation . . .
“The biggest change is what this means in practice for consent mechanisms. You will need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. The changes reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.”
That’s a clear statement, but — as with any government rule — the devil is in the details.
ICO asked if their draft guidance contained enough of those devilish details. We replied that most of the guidance was sufficient, then added:
“There are, however, several areas that we believe call for more guidance, mainly in what will be an accepted user interface. Different user interface requirements can have significant impact on business performance of registration pages and beyond:
“1. Keeping consent requests separate from other terms and conditions. Does this require separate check-boxes for the general Terms of Service and for Consent? Can consent to specific data uses not be contained (in plain language) within the Terms and Conditions or Terms of Service on a site?
“2. Named consent. The guidance requires naming third parties used by the organization. Large enterprises are often using tens of services to fulfill their business needs, from analytics services to customer identity and access management (CIAM) solutions such as Gigya’s. Will it be sufficient to present these in a consent statement linked from the registration page?
“3. Alternatives to Consent – legitimate interest. It seems it will be helpful to further detail how private-sector organizations can determine if they can process personally identifiable information (PII) based on ‘legitimate interest’ rather than on consent, as it will be favorable to our clients in some cases.”
ICO concluded its survey by asking for any further comments or suggestion. Gigya said:
“Another area where the market is looking for guidance on is ‘consent granularity.’ For our typical enterprise brand/media/ecommerce clients, the question remains what level of granularity will be acceptable. For example, will online registration pages need to include 3-4 check-boxes representing permission to use PII for services such as product recommendations, email marketing, loyalty programs, etc.? We would be happy to see examples of a sufficient level of granularity for our type of clients, considering registration pages must not be “disruptive or confusing.’’
Now we’ll wait to see how ICO – as well as other enforcement agencies throughout the EU – turn the “general” concepts of the General Data Protection Regulation into black-and-white rules that organizations can follow to achieve GDPR compliance.
By Eyal Magen