GDPR For Dummies
Book image
Explore Book Buy On Amazon
You should include opt-in wording wherever you are collecting personal data and relying on consent as your lawful grounds for processing, unless it is clearly obvious from the circumstances that, by providing personal data, the data subject will be consenting. You will typically see opt-in wording presented within just-in-time notices.

The dos and don’ts of opt-in wording

The opt-in wording should be concise, easy to understand, and user-friendly. If the opt-in wording is difficult to understand or confusing — in particular, by the use of double negatives — the consent isn’t valid. For example, the opt-in shown here isn’t valid.

invalid opt-in wording This opt-in wording is too confusing to be valid.

The opt-in wording should be specific. If the consent is too vague and all-encompassing, it isn’t valid. For example, the opt-in wording shown here isn’t valid.

vague opt-in wording This opt-in wording is too vague to be valid.

The opt-in wording should be clear about the purposes of the processing and the type of processing. The following figure shows an example of concise, easy-to-understand, user friendly opt-in wording from luxury travel magazine Condé Naste Johansens. It clearly states the purposes of the processing (to send certain types of information to the data subjects) and the type of processing activity (to send emails and brochures). It should ideally state why the date of birth is requested, as under the data minimization principle, only personal data necessary for the stated purpose should be collected.

valid opt-in wording Opt-in wording that is clear and specific is valid.

The consent for data processing should be obvious, prominent, and not bundled with other terms and conditions. So, if you’re collecting personal data at the same time you’re selling a product or service or otherwise need to incorporate terms and conditions, you must have separate tick boxes for accepting terms and conditions for the sale and a separate tick box for giving consent to the data processing. This is an example of opt-in wording where consent is not bundled with the terms and conditions.

Keep consent separate from terms and conditions. Keep consent separate from terms and conditions.

You need to provide granular (more detailed) options for:

  • Different purposes for the processing: You might have one purpose to send direct marketing emails yourself and a second purpose to share the data with third parties for their marketing purposes.
  • Different types of processing: Examples are sending emails, sending postal marketing, and sending text marketing.
The following figure shows an example of opt-in wording that provides granular options for different types of processing.

opt-in choices Allowing the data subject to make choices.

You may see separate wording where certain types of processing, such as email and text, require opt-in consent and postal marketing asks for data subjects to opt out. This is because of the ePrivacy Directive, which provides that consent is required for email and text marketing. However, the ePrivacy Directive does not require consent for postal marketing, meaning you can generally rely on the lawful grounds of legitimate interests instead when it comes to processing of personal data for postal marketing. In such a case, processing for postal marketing will require an opt-out (as data subjects have the right to object to processing where legitimate interests is the lawful ground of processing). If a data subject opts out of postal marketing, you must cease the processing immediately.

For an example of opt-in wording together with opt-out wording, see the following figure.

opt-in and opt-out wording You can provide opt-in and opt-out wording together.

Avoid consent fatigue

Recital 32 of the GDPR also states that the consent must not be unnecessarily disruptive to the data subject’s experience. While you must adhere to the transparency principle and provide data subjects with sufficient information to make an informed choice, you must be wary of consent fatigue. This is when users provide consent without bothering to read the Privacy Notice or understanding the consequences of consenting, because they’re overburdened with information, presented with too many consent requests, or the process of providing consent is simply too cumbersome.

To help data subjects avoid consent fatigue, be as specific and succinct as possible in the opt-in wording and use links within the opt-in wording to layered Privacy Notices.

You shouldn’t try to obtain consent to (and therefore do not need opt-in wording for) the Privacy Notice itself. Consent is just one of your lawful grounds for processing. If you ask for consent to the Privacy Notice, you are effectively putting all of your processing on the grounds of consent. In any event, a Privacy Notice will be too long, and describe too many different processing activities, for anyone to be able to give valid consent to it in its entirety.

Keep records of consent

Finally, as a data controller, you must keep records of consent, including
  • Who consented
  • When they consented
  • How they consented
  • What they were told about the processing
  • Whether they subsequently withdrew consent
As such, any tick boxes or other consent mechanisms used to capture consent online should ideally be integrated with appropriate record-keeping systems so that evidence of these consent records are retained.

About This Article

This article is from the book:

About the book author:

Suzanne Dibble is a business lawyer who has advised huge multi-national corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com

This article can be found in the category: