Valid Consent: Building Trust and Demonstrating Compliance

Data, trust, and compliance impact four major areas of business: governance, marketing, technology, and privacy.  While each of these departments is responsible for different aspects of privacy compliance, they all share the same goal: establishing trust-driven relationships between your brand and your customer base while remaining compliant with global regulations. 

Centering your advertising and marketing efforts on privacy starts with being transparent about data collection. In addition to this, today’s privacy landscape also requires businesses to be able to prove they’ve obtained valid consent.

Let’s explore how marketers, privacy professionals, and data managers can work together to obtain valid proof of consent, and why it’s critical to activate consent, preferences, and first-party data in a way that honors consumer privacy. 

Why Does Balancing Privacy with Personalization Matter? 

In response to regulations and consumer demand, leading businesses that control and process significant volumes of personal data are rethinking their approach to privacy. 

Privacy is no longer just a series of frameworks to follow — it’s a competitive differentiator. By putting more privacy controls in front of their users, businesses can build more trust across the global consumer market and ascend to the status of a preferred brand. 

Leading privacy  strategies are rooted in a shift towards increased transparency and choice for consumers and their personal data. It makes sense — 97% of people are concerned that businesses or government entities could misuse their data. 

Today’s many regulations, frameworks, technologies, and guidelines are improving these odds by offering more control and privacy to consumers. These changes  restrict tracking capabilities and limit ad targeting and personalization, among other tactics. 

What is Consent?

According to Europe’s  General Data Protection Regulation, there are six legal bases for processing personal data. As quoted in the regulation itself, these are:

  1. Consent
  2. Performance of a contract
  3. Compliance with a legal obligation
  4. Protection of vital interests of the data subject or another natural person
  5. Performance of task in the public interest or exercise of official authority
  6. Legitimate interests of the data controller or a third party

Consent is one of the primary legal bases that organizations leverage to collect and process personal data. As per Article 7 of the GDPR, consent can only be an appropriate legal basis for data processing if it is freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. 

  1. Consent must be unbundled. This means if consent is attached to non-negotiable terms and conditions, it’s not considered to be freely given. Last year, the French Data Protection Authority (CNIL) fined Google for bundling cookie consent in this way. 
  2. Using pre-ticked boxes is non-compliant under the GDPR. Active opt-in is a must. 
  3. Consent needs to be granular. For example, a data subject must have the ability to consent to each processing purpose. It’s not appropriate to require users to consent to a bundle of processing purposes.
  4. Consent must be informed. The WP29 lists six elements establishing the minimum requirements for informed consent:
    • Controller’s identity
    • Purpose
    • The data a business collects and uses
    • There’s a right to withdraw consent
    • Information about any automated individual decision-making or profiling
    • If the consent relates to data transfer, details about the safeguards that are in place to protect the dat.
  5. Consent must be freely given – and it’s incumbent on data controllers to prove this amid power imbalances with data subjects. This may apply in the context of an employer/employee relationship, where it’s unlikely that a data subject can deny consent without experiencing fear or possible detrimental effects.
  6. Withdrawal of consent must be as easy as giving consent. If users can give consent with one click or simple form, then data subjects must be able to withdraw that same consent in a similarly accessible fashion.

How to Obtain Proof of Consent

Proving valid consent may seem simple. An inventory of personal data identifiers with time-stamped consent flags is a typical practice and works for making informed privacy decisions, such as proceeding with a marketing message to email subscribers. When it comes to proof of consent, however, this approach isn’t sufficient for compliance. 

Valid proof of consent will fulfill the following conditions: 

  • Proof of who consented and when: Name or identifier of the data subject and a time stamped document or online record.
  • Proof of what information the data subject received prior to consent: A master copy of the document or data capture form, including the associated privacy policy or notice and their version number(s). 
  • Proof of how the data subject consented
    • If consent occurred online: Data submitted and a link to the relevant version of the capture form.
    • If consent occurred offline: A copy of any documentation. 
    • If consent occurred verbally: Notes from the data controller created at the time of the conversation. 

Regulations require you to keep track of what subjects consented to, including numbered versions of privacy policies and consent notices. This becomes exceedingly relevant as your team modifies data purposes, policies, and conditions over time. 

A valid record of consent should include the date of the transaction, collection purpose, purpose version, collection point version, and a unique transaction number. 

Simplify the Process of Valid Consent with a Consent Management Platform

Obtaining personal data in a compliant way is complex for data controllers. The customer journey is highly dispersed due to the many access points to provide consent for unique purposes and conditions. 

Despite this complex ecosystem, this is where businesses have an opportunity to cultivate customer relationships and trust while practicing compliance. 

Implementing a consent and preference management program allows you to manage all access points that obtain valid consent while simplifying the customer journey and fulfilling core business needs.

With this approach, you can improve trust at every touchpoint by making it seamless for users to customize personal data preferences. Then, by activating and accessing data downstream, you can foster trusted relationships across marketing, sales, and business activities where users have consented. 

This allows you to provide users with the value they consented to in exchange for their data. An example would be showing personalized omnichannel experiences based on customer preferences. 

Ultimately, obtaining valid consent should rely on customizable web forms that build clean databases for businesses, reduce martech redundancies, and streamline the overall process of collecting valid consent and proof from start to finish.

Expected results of a strategic consent and preference management program include:

  • Drastically reduced regulatory risk
  • Stronger customer relationships
  • A larger addressable marketing database
  • Richer first-party datasets
  • Teams that are empowered to succeed

Establishing and proving customer consent for data collection in an omnichannel business environment is a tough task. But businesses who acquire the tools required to do just that will increase customer confidence and stay ahead of global regulations. That’s a win for both businesses and their customers.

Alex Cash is the Offering Lead for OneTrust Consent and Preference Management. In his role, Cash oversees the global OneTrust PreferenceChoice team and works with emerging and enterprise companies on best practices to drive engaging user experiences and build trust while demonstrating compliance across 100s of global data privacy regulations, including the CCPA, TCPA, CASL and GDPR.

Tags: