General Data Protection Regulations (GDPR), the ICO in the UK has published an at-a-glance checklist for items to consider on the opt-in form and signup process. The checklist includes the following items:
Asking for consent:
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give individual (‘granular’) options to consent separately to different purposes and types of processing.
- We name our organisation and any third party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
This is looking froward from the what to the how.
- We keep a record of when and how we got consent from the individual?
- We keep a record of exactly what they were told at the time?
- We regularly review consents to check that the relationship, the processing and the purposes have not changed ?
- We have processes in place to refresh consent at appropriate intervals, including any parental consents ?
- We consider using privacy dashboards or other preference management tools as a matter of good practice ?
- We make it easy for individuals to withdraw their consent at any time, and publizise how to do so ?
- We act on withdrawals of consent as soon as we can ?
- We don’t penalisze individuals who wish to withdraw consent
ReferencesGDPR consent guidance — https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/
What that doesn't give you is practical examples on how to lay out your consent forms. We'll look at that in following posts. RC