Worldwide there is a growing trend towards consent management and protecting the data and privacy of users when interacting with organizations through digital channels. The GDPR, for example, is European Union regulation that will safeguard the data and privacy of its citizens. Some of the most challenging requirements of the trend towards these new forms of regulation centre around the need to collect consent from end users before obtaining and making use of their personal data. Of course, consent is already a requirement today under many regulations, but it is important to understand that the trend towards requiring affirmative, and in some cases, explicit consent, will have a dramatic impact for many organizations. The GDPR is just one example of the changing trends in regulation, other examples include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU’s Payment Services Directive (PSD2).
Consent Management Lessons from GDPR
Although the GDPR is focused on the EU, we believe similar regulation will eventually be considered in other parts of the world. In today’s landscape, many organizations are relying on implied consent (or even opt-out consent) when they collect the personal data of their users – we are all very familiar with the pre-checked tick boxes on many sign-up forms we see on many websites. This practice, of collecting implicit consent, will no longer be allowed under the GDPR, which requires consent by the user signaling agreement by “a statement or a clear affirmative action.”
It isn’t obvious at first glance how much of an impact these changes will mean for organizations. But another possible impact revolves around grandfathering rules of previously collected consent. If your current data store has personal data that was garnered using some form of implied consent, that data will have to be “reconsented” to by the user; the GDPR will not allow grandfathering of your existing non-compliant data. You will have to update your records, and of course in a fashion that meets the requirements of the GDPR.
The GDPR also requires that users must be enabled to perform consent management activities at any time. For example, a user that has consented to share their address in order to access a service must be able to withdraw that permission at any point in the future. That change then needs to be reflected in the entire technology stack of the organization and throughout all databases. If one of the systems has the address removed, but another still sends out a personalized notice using it, you are in violation of the GDPR.
Lastly, the GDPR limits data collection to “specified, explicit and legitimate purposes,” and the data “must not be further processed in a manner that is incompatible with those purposes.”. You will be disallowed, for example, to collect full user profile data when people sign up to your website and have your sign-up form ask for unnecessary details (e.g. name, address, gender, age, phone, etc. etc.). Collecting personal data proactively in case you may need it to offer the user a service in the future is no longer allowed. You can only collect data needed for a specific purpose, like to onboard to a specific online service or to enable a specific transaction. Collecting a user’s phone number in order to send text messages to their phone would be an example of a legitimate purpose to collect a user’s cell phone number while requesting the phone number just to download a document is not.
Many organizations are struggling to understand how they can comply with upcoming regulation without negatively impacting the user experience on their digital sites or ending up with CRM databases that are no longer usable after May 25, 2018. We believe these regulatory trends are growing and will soon impact organizations outside of the EU in a profound way. We believe the time for organizations to start moving towards solutions that incorporate the lessons learned from GDPR is now!
How CitizenOne enables consent management
We provide a solution to organizations through the CitizenOne Consent Management service, that is part of the CitizenOne Service Delivery Platform.
We specifically designed CitizenOne to provide organizations the technology to obtain informed consent from their users in ways that allow compliance with sophisticated regulations. It does this by providing fine-grained consent capabilities that are invoked “per purpose”, and that makes it easy for users to understand what data and what purposes they are providing explicit consent towards.
Our solution is configured to require consent whenever the context requires it – say, if a user has signed up to download a government form and has provided their email address only but is later signing up for a text message reminder service, a new consent would be displayed to obtain the phone number. This progressive consent collection can be done on any digital property, from websites to mobile applications. The service can also be used to ask existing users, to easily reconfirm their consent, which allows you to “update” user data in an ongoing way and move this data into compliance.
End-users may manage their consent declarations at any time for and make any changes they may like; this is similar to setting or revoking access permissions for third-party applications on mobile devices or social media sites.
CitizenOne allows for the “marshaling” of data and consent preferences that ensure your technology stack and other internal systems are always updated with the current consent preferences of a user.
Learn more about CitizenOne and consent management by contacting us.