guide
Understanding Consent Under the GDPR
5 min read
Share this doc:
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law designed to protect the citizens of the European Union (EU) and their personal data from exploitation. The GDPR applies to an organization if it meets any of the following criteria:
- The organization has a location in the EU, and processes personal user data (even if that data is not processed in the EU)
- The organization offers goods or services to EU citizens (even if those goods or services are free)
- The organization collects or processes the personal data of EU citizens (even if those citizens are not presently in the EU)
In order to protect your users and comply with the GDPR, you need to properly obtain a user's consent before collecting or processing their data. This resource will give you a strong foundation for understanding how to obtain user consent as required by the GDPR.
The conditions for consent in the GDPR are primarily covered under two articles: Article 7, which outlines the conditions for consent as they pertain to adults, and Article 8, which outlines the conditions for consent as they pertain to children.
Article 7: Consent Conditions for Adults
Article 7 breaks down consent into four conditions. It states that, in order to process user data, you must:
- Clearly define what the user is consenting to
- Make sure that what the user is consenting to is not hidden in a body of text.
- Ensure user consent is freely given
- Users should not have to consent to data collection in order to use your services.
- Inform users of how they can withdraw their consent
- The ability to withdraw consent should be as easy as it is to provide consent.
- Be able to provide proof of a user's consent
- Maintain well-organized records of user consent so you're ready to provide proof if necessary.
Is your organization adhering to consent as defined by the GDPR?
Review and answer the questions below:
When you ask users to consent to having their data used, collected, or processed, do you ask in a clear and unambiguous way?
Before you ask your users to consent to data processing, do you clearly inform them about their right to withdraw that consent?
Is the process for withdrawing user consent as simple as the process for providing consent?
At any time, is your organization able to provide proof that a user has given consent to have their data processed?
If you answered yes to all of the above, you are well on your way to being in compliance. If you answered no or are unsure, refer back to the GDPR. Then, check in with your data protection officer to make sure you understand the conditions for consent and update your policies accordingly.
Article 8: Conditions Applicable to Children's Consent
Article 8 applies to developers who offer information society services (ISS) directly to a child. This article states the following conditions:
- A child must be at least 16 years old to have their data legally processed.
Member states may lower this age.
- If a child is under 16 years of age, their legal guardian must provide consent on their behalf in order for you to process that child's data.
- You must make all reasonable efforts to be sure that the consent you have received to process a child's data was, in fact, given by their legal guardian.
These conditions do NOT override any existing laws of Member States that pertain to contracts involving children.
Is your organization complying with consent regulations as defined by the GDPR?
Review and answer the questions below:
Before processing the personal data of a minor between the ages of 13 and 16, does your organization get consent from their legal guardian?
When a legal guardian consents to data processing on behalf of a minor, does your organization make all reasonable efforts to verify the legitimacy of the consent?
When processing the personal data of a minor, does your organization comply with all relevant Member State data processing regulations?
If you answered yes to all of the above, you are well on your way to being in compliance with the GDPR’s requirements on user consent for children. If you answered no or are unsure, refer back to the GDPR. Then, check in with your data protection officer to make sure you understand the conditions for consent and update your policies accordingly.
Next Steps
Receiving and properly recording user consent is key to complying with the GDPR. The protection of your users' data is your top priority, so make sure you've done everything needed to keep them and their private information safe.
Remember, the law is ever-changing. Stay up-to-date on the GDPR as you move forward. Be on the lookout for any new changes or additional requirements that you may need to address in order to remain compliant and keep your users safe.
For additional information on general best practices regarding user consent, check out the Art of Consent course.
For more on this topic, take the Course:
TL;DR GDPR
If European residents use your app, you must comply with the European Union’s General Data Protection Regulation (GDPR). It is the global standard for privacy protection, so you need to understand how it works. This course provides the five keys to GDPR compliance that every developer should know and every product should include.
