Individuals may provide consent to a company on how it can use or process their personal information
In the context of data privacy, consent defines the clear and explicit permission obtained by a company to process or use an individual’s personal information. When an individual provides consent, they should clearly understand why and how a company will use their personal information. Consent must be explicit, in that the company provides clear and unambiguous consent agreements and clear ways for individuals to withdrawal consent.
The GDPR provides a clear definition of consent with: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
What are the Key Considerations for Consent?
- Organizations need to clearly ask for and define what individual’s consent allows. Organizations should not use pre-checked boxes and should provide consent options for all uses of their information. In addition, they need to provide simple options for individuals to withdraw their consent.
- Organizations need to specifically record how and when consent was gained and what information was presented to the individual.
- Organizations need to actively manage consents and process consent updates as rapidly as possible. They should not reduce service for individuals who have reduced or withdrawn consent.
What are some examples of how consent is obtained and withdrawn?
- Very conspicuous opt-out links in emails.
- Obvious notices on web pages to accept cookies.
- Selection boxes that must be checked registration forms to allow further communications.