The definition of consent under the GDPR is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition, but adds some detail on how consent should be given:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The key elements of the consent definition remain the same as the previous Data Protection Directive, however, the GDPR adds an additional layer by adding that the indication must be “unambiguous” and the consent given “by a statement or by a clear affirmative action”. This means that businesses will no longer be able to rely on the opt-out box for consent, as the data subject must confirm their consent by clear affirmative action.
The GDPR has, in general, set a higher standard for consent for your loyalty programme. Consent to data processing offers individuals a genuine choice and control over how their data is used by organisations. Consent under the GDPR now requires an active opt-in by the individual rather than the previous passive consent by default or failure to opt out.
So what do we specifically need to know about Consent and the GDPR and its implications for your loyalty programme.
Keep consent requests separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Here is a great example of how “unbundled’ consent works in practise.
Pre-ticked opt-in boxes are invalid.
You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods or to install apps or other software on people’s devices
Give granular options to consent separately to different types of processing wherever appropriate.
Here is an example from Woolsworth’s in Australia. A non-EU company in the EU must be compliant with the GDPR.
Here Woolworth’s provides three different checkboxes – SMS, email and post (samples). This means users can get comms where they want them, rather than an all-or-nothing approach.
Here is another great example from the Marketing Institute of Ireland:
Here’s a clear example from Waitrose, part of the John Lewis Partnership, when registering for an account. The user can consent to receiving updates from Waitrose, John Lewis or John Lewis Financial Services. Each organisation gets its own checkbox.
However, it’s still technically an opt-out as the user has to click the buttons if they don’t want to receive further comms. A bit sneaky. This is not compliant with the GDPR.
Keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented. Getting the correct consents for your loyalty programme is essential when communicating with members.
Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
This sort of functionality is pretty standard in many sectors (e.g. in the media and e-commerce) but is still something that isn’t offered by everyone.
The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.
The pages also states: “Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account.”
No imbalance in the relationship:
Consent will not be freely given if there is imbalance in the relationship between the individual and the controller. This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
For consent for loyalty programs to be valid under the GDPR, all the characteristics referred to above must be satisfied. If they are not, then you do not have consent.
The issue with both mechanisms described above (pre-ticked opt-in and un-ticked opt-out) is that the individual is not making a ‘clear affirmative action by which they signify consent to the processing of personal data.’ They are not doing anything to give consent in those circumstances. In fact, it is quite the opposite in that consent is assumed to be given unless the individual does something to say no.
Furthermore, in those circumstances how can it ever be unambiguous? You cannot know an individual has consented because they did not do something, you can only assume they have. Assumed consent is, by its very nature, ambiguous and so should not be relied upon.