Clym Logo

What is Granular Consent and What are Its GDPR Implications?

A primary concern of data privacy laws like Europe’s General Data Protection Regulation (“GDPR”) is that of consent, which has a large impact on whether or not an organization is authorized to collect, process, and store personal information from individuals. In order to be considered adequate per [GDPR]https://clym.io/regulations/gdpr)’s requirements, consent must be a freely given, specific, informed and unambiguous indication that an individual wishes to have their information processed. [GDPR]https://clym.io/regulations/gdpr) defines such consent as 'granular,' and it is important to understand what that means from an operational perspective for your organization to ensure it is properly obtaining consent.

What is Granularity of Consent?

At a basic level, a granularity of consent means that the individual from whom you’re collecting data (the data subject) understands what is being collected and how it is being used. The data subject must have a choice and be in control of what they choose to provide to you, and what they’ll receive in return. For example, if you have an “Accept All Cookies” button on your website that is being shown to European visitors, you’re out of compliance with [GDPR]https://clym.io/regulations/gdpr). Specifically, [GDPR]https://clym.io/regulations/gdpr) guidance indicates that “a service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than consenting to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.” So, if you’re using Google Analytics to track activity on your website, Facebook Pixel for retargeting, or HotJar for heatmaps, you need to obtain consent for each of these activities, as they are distinct and different in their purposes.

Pro Tip: the European Data Protection Board has explicitly updated its guidance regarding granularity on this topic, stating that “when data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.” If you’re using multiple tracking scripts (and most organizations are), you should provide users with granular consent choices for each category, a link to the Privacy Policy, to ensure the consent is informed, and a description of processing activities.

What does ‘Freely Given’ mean?

In the past (and sadly, too often today), many websites forced their visitors to “Accept All Cookies” in order to access the website; this approach is what’s known as a “cookie wall” and is considered to be non-compliant with GDPR. A cookie wall is a classic example of what isn’t freely given: visitors must be able to refuse consent without detriment and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible. That means that, for purposes of GDPR, prior to running any nonessential tracking scripts or cookies on your website, you must obtain consent for that cookie or tracking script. If a visitor prevents you from running those scripts, you must continue to provide access to your website uninhibited.

What does 'Freely Withdrawn' mean?

Though a data subject may provide consent initially, [GDPR]https://clym.io/regulations/gdpr) requires you to allow that data subject to revoke or withdraw their consent at any time, using the same interface through which they originally provided consent. For purposes of your website, that means that if a data subject provided consent for you to run Google Analytics during their sessions, they must be given the opportunity to revoke that consent while on your website, at no cost or detriment to the data subject.

Key Takeaways

If you’re using an “Accept All Cookies” banner on your website without providing visitors with the ability to opt-in or out of specific tracking scripts and cookies, then you’re running afoul of [GDPR]https://clym.io/regulations/gdpr). However, there are other data privacy laws which do not require granular consent, so you should aim to avoid a one-size-fits-all solution for your website; taking a flexible approach can optimize both your compliance and your site’s performance.

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience. You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.