User consent registration for GDPR
Registering consent of opt-ins are mandatory under GDPR (most of the time). There’s a difference between registering consent for cookies and tracking scripts and other services, e.g email marketing. We will have a look at both.
Email marketing, opt-ins and user consent registration
Registering consent for email marketing is not new. Opt-ins are required by many mail delivery solutions, like Mailchimp, for many years. They went unnoticed and unused for many years, but are now implemented more noticeable since the GDPR became active. For many countries, this didn’t change the privacy laws concerning email marketing and alike, it just shifted focus.
Because email marketing by design needs an email address (personal data), the consent can be linked to the unique ID (email address) by way of adding a checkbox to a form that clearly states the nature of the marketing efforts. Only when checked is the person allowed to be emailed. This explicit consent can be registered by WordPress, Mailchimp or any other service by adding a column with date & time of consent, next to the email address used to give consent. All respected solutions will have this built-in and can be used and integrated with Complianz.
After consenting to a newsletter, all newsletters should contain the possibility to revoke consent by unsubscribing. Or the user can ask the person responsible for registering consent to remove, access or change their consent. This should all be clearly stated in your Privacy Statement. Consenting to cookies is a bit different. The most important difference is described below:
Registering cookie consent and data minimization
The main difference is that when a user consents to all or a category of cookies, the user is identified by a unique ID in their local browser storage (a functional cookie). This will not be identifiable as a unique person (linked to personal data). This means you can’t change/revoke/access someone’s consent, other than the user who gave consent.
Or the user can remove the cookies in the browser altogether, which removes any registration and consent status.
Another GDPR guideline is data minimization, which in short means: you should identify the minimum amount of personal data you need to fulfill your purpose. You should hold that much information, but no more. If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimization principle.
Complianz does not process personal data, because of GDPR guidelines, but it covers user consent registration!
Proof of cookie consent by Complianz. From release 3.1 and up
From release 3.1 onwards we have added proof of consent, which combines user consent registration and data minimization to respect both GDPR and your users.
How it works:
Proof of Consent by Complianz!
The document will be generated after one day, when you finish the wizard for the first time and subsequent significant changes.
You will therefore collect different proof of consent documents during your use of Complianz, each with a different time-stamp. In this document a link is provided to explain further details for the user. Have a look for yourself.
How a user can find the time of registration
We have added a manual for users to find exactly their registration time by finding the consent cookie in their browser.
If you have any questions regarding this update, please contact us.