What is Granular Consent and What are Its GDPR Implications?
A primary concern of data privacy laws like Europe’s General Data Protection Regulation (“GDPR”) is that of consent, which has a large impact on whether or not an organization is authorized to collect, process and store personal information from individuals. In order to be considered adequate per GDPR’s requirements, consent must be a freely given, specific, informed and unambiguous indication that an individual wishes to have their information processed. GDPR defines such consent as “granular”, and it’s important to understand what that means from an operational perspective for your organization to ensure it is properly obtaining consent.
What is Granularity of Consent?
At a basic level, granularity of consent means that the individual from whom you’re collecting data (the “data subject”) understands what is being collected and how it is being used. The data subject must have a choice and be in control of what they choose to provide to you, and what they’ll receive in return. For example, if you have an “Accept All Cookies” button on your website that is being shown to European visitors, you’re out of compliance with GDPR. Specifically, GDPR guidance indicates that “A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.” So, if you’re using Google Analytics to track activity on your website, Facebook Pixel for retargeting, or HotJar for heatmaps, you need to obtain consent for each of these activities, as they are distinct and different in their purposes.
Pro Tip: the European Data Protection Board has explicitly updated their guidance regarding granularity on this topic, stating that “when data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.” If you’re using multiple tracking scripts (and most organizations are), make sure that you’re providing data subjects with the opportunity to opt-in or out of each separately.
What is ‘Freely Given’?
In the past (and sadly, too often today), many websites forced their visitors to “Accept All Cookies” in order to access the website; this approach is what’s known as a “cookie wall” and is considered to be noncompliant with GDPR. A cookie wall is a classic example of what isn’t freely given: visitors must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible. That means that, for purposes of GDPR, prior to running any nonessential tracking scripts or cookies on your website, you must obtain consent for that cookie or tracking script. If a visitor prevents you from running those scripts, you must continue to provide access to your website uninhibited.
What is Freely Withdrawn?
Though a data subject may provide consent initially, GDPR requires you to allow that data subject to revoke or withdraw their consent at any time, using the same interface through which they originally provided consent. For purposes of your website, that means that if a data subject provided consent for you to run Google Analytics during their sessions, they must be given the opportunity to revoke that consent while on your website, at no cost or detriment to the data subject.
If you’re using an “Accept All Cookies” banner on your website without providing visitors with the ability to opt-in or out of specific tracking scripts and cookies, then you’re running afoul of GDPR. However, there are other data privacy laws which do not require granular consent, so you should aim to avoid a one-size-fits-all solution for your website; taking a flexible approach can optimize both your compliance and your site’s performance.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.