Under the GDPR, there are six lawful bases for processing personal data. Having consent from your users is one of them, and it could be the one you need the most.

But it’s difficult to understand, and one mistake could put your company’s financials and reputation at risk.

With fresh guidance on regulations, and elevating consumer expectations, more companies are making the shift to compliant collection of data. In this post, I’ll unpack the definition of consent and highlight the areas I believe to be most clearly misunderstood.

Disclaimer: I’m not a lawyer and this advice should not to be taken as professional advice.

What is consent?

In some situations, the processing of data is necessary for the performance of a contract. For example, processing the address of a customer so that goods purchased online can be delivered, or processing credit card details in order to facilitate the payment. In these situations, consent is not required.

However, “necessary” needs to be interpreted very strictly — marketing emails, Google Analytics, chat widgets, or shopping recommendations most likely do not count. In these cases, you’ll need consent, which is defined in the GDPR as:

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

But what exactly does this mean? Let’s break it down.

Freely given

The first thing you shouldn’t do is block access to your website, application or specific features until consent is given.

The most obvious mistake is the use of cookie walls. But it also applies to other parts of your website or app. For example, you should ask yourself whether data like “first name” and “last name” are absolutely essential to the functioning of your product. If they’re not, then don’t make them required.

Don’t block access to your product if non-essential data isn’t provided.

But this doesn’t mean you can use deception, intimidation or coercion to encourage or influence user consent. For example, putting a star next to the field “First Name”, so users think it’s mandatory, but then still allowing them to sign-up without inputting the field, is not valid consent.

And even if you do both of these correctly — give users fair and genuine choice — you can’t then make the user experience or functionality of your website/app worse because of that choice.

Specific

If you collect/process data for multiple purposes, you need consent for each of those purposes. You can’t bundle the purposes into one consent, like this:

Avoid bundling consent for multiple data purposes into one button.

It is better to ask for consent for each purpose. For example, Whereby collect my email address when I create an account, but afterwards they give me choice over the different purposes my email address could be used for.