Informed consent: Decoding your GDPR privacy emails

1 May 2018

How do you ensure you know what you’re consenting to? Image: Denis Mikheev/Shutterstock

What do you do with the mountain of privacy policy change emails in your inbox?

The General Data Protection Regulation (GDPR) will soon become a reality and the average internet user has undoubtedly noticed a glut of app notifications and privacy policy change emails in the last number of weeks.

These changes to terms of service are necessary to ensure organisations comply with the regulation and avoid the heavy fines touted under the new EU rules.

While the changes are stemming from Europe, companies around the world must comply if they deal with EU data, hence the flood of messaging and notifications from organisations all over the globe.

Amendments and changes

While companies such as Twitter are implementing global privacy rules differently outside of the EU and WhatsApp is raising its minimum age for users to 16 in the EU only, many others are adopting a single global privacy standard, as maintaining two separate privacy regimes is arguably a lot more arduous. By adopting a single set of rules, companies also avoid the potential backlash for applying one set of regulations to customers and a different set to another.

The full text of GDPR is a whopping 261-page tome, but the recent email blast mostly deals with the element of the regulation on informed user consent. A study from 2008 showed that it would take anywhere from 16 to 444 hours per year to read every privacy policy of services you sign up for. Imagine then how much that figure would have grown 10 years on.

Under GDPR, plain language and an absence of legalese should be paramount, as the GDPR FAQ explained: “The conditions for consent have been strengthened, and companies will no longer be able to use long, illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.”

Informed consent under GDPR

This translates to a sea of emails and notifications, showcasing how users will be able to clearly and explicitly opt in to having their data collected by the companies in question. While many of them are certainly less dense with legal language, there are still a lot of layers to peel back – which is well worth doing.

Users should look out for details of personal information being shared with third parties, which could allow for invasive or unwanted profiling. While pre-ticked boxes you breeze through without reading will no longer be permitted, double-checking how your consent is being sought is still important.

Look out for where the entity in question is based if you are outside the EU. Many companies may move users from one data controller to another outside the EU to evade stricter GDPR rules.

If in doubt, send an email to the app or service’s point of contact.

How will consent change?

Deirdre Kilroy, technology and innovation partner and head of intellectual property at Matheson, explained how consent would change under GDPR: “Where you need consent from a person in order to process their personal data, you need to explain clearly what you are asking them to agree to processing and why. This is often done with or as part of the provision of the privacy notices required to be delivered for GDPR compliance.

“It is important to make sure that where you seek consent, that you give the person a genuine opportunity to exercise his or her choices. This means that consent must be freely given, specific and fully informed. Consent must also be genuinely revocable. You should have procedures in place to action and record when a person opts to revoke consent.

“There are lots of privacy notifications circulating at the moment. It is best for those controllers depending on consent to give individuals genuine choice over the collection and use of their personal information.”

Within the US, privacy laws are less advanced, but the fringe benefits of GDPR coupled with a renewed wariness around personal data could mean a new wave of legislation is about to crest Stateside.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects