What is Granular Consent and What are Its GDPR Implications?
A primary concern of data privacy laws like Europe’s General Data Protection Regulation (“GDPR”) is that of consent, which has a large impact on whether or not an organization is authorized to collect, process, and store personal information from individuals. In order to be considered adequate per GDPR’s requirements, consent must be a freely given, specific, informed and unambiguous indication that an individual wishes to have their information processed. GDPR defines such consent as 'granular,' and it is important to understand what that means from an operational perspective for your organization to ensure it is properly obtaining consent.
What is Granularity of Consent?
At a basic level, a granularity of consent means that the individual from whom you’re collecting data (the data subject) understands what is being collected and how it is being used. The data subject must have a choice and be in control of what they choose to provide to you, and what they’ll receive in return. For example, if you have an “Accept All Cookies” button on your website that is being shown to European visitors, you’re out of compliance with GDPR. Specifically, GDPR guidance indicates that “a service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than consenting to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.” So, if you’re using Google Analytics to track activity on your website, Facebook Pixel for retargeting, or HotJar for heatmaps, you need to obtain consent for each of these activities, as they are distinct and different in their purposes.
What does ‘Freely Given’ mean?
In the past (and sadly, too often today), many websites forced their visitors to “Accept All Cookies” in order to access the website; this approach is what’s known as a “cookie wall” and is considered to be non-compliant with GDPR. A cookie wall is a classic example of what isn’t freely given: visitors must be able to refuse consent without detriment and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible. That means that, for purposes of GDPR, prior to running any nonessential tracking scripts or cookies on your website, you must obtain consent for that cookie or tracking script. If a visitor prevents you from running those scripts, you must continue to provide access to your website uninhibited.
What does 'Freely Withdrawn' mean?
Though a data subject may provide consent initially, GDPR requires you to allow that data subject to revoke or withdraw their consent at any time, using the same interface through which they originally provided consent. For purposes of your website, that means that if a data subject provided consent for you to run Google Analytics during their sessions, they must be given the opportunity to revoke that consent while on your website, at no cost or detriment to the data subject.
If you’re using an “Accept All Cookies” banner on your website without providing visitors with the ability to opt-in or out of specific tracking scripts and cookies, then you’re running afoul of GDPR. However, there are other data privacy laws which do not require granular consent, so you should aim to avoid a one-size-fits-all solution for your website; taking a flexible approach can optimize both your compliance and your site’s performance.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.