GDPR Readiness: Consent, Privacy Policies, and Enforcement

by Sarah Harvey / June 27th, 2018

Confusing Aspects of GDPR

Are you unsure how to properly collect data subjects’ consent? Have you seen organizations giving data subjects’ different options for giving their consent? In this webinar, Mark Hinely covers the confusing regarding consent, the regulatory developments since the GDPR enforcement date, and significant litigation to note.

How is Consent Being Collected?

Consent is considered the most confusing and misunderstood legal basis for processing personal data. This is probably because consent isn’t always required, it must be freely and affirmatively given, and is much different than the other five legal bases for processing. There are two areas seem to get a lot of attention in the GDPR realm: paid consent and privacy policies.

  • Privacy Polices: You probably noticed the subject line “We’ve Updated Our Privacy Policy” reappearing over and over in your inbox in relation to GDPR. Many organizations send these updates in an effort to become GDPR compliant, under the misconception that it obtains data subjects’ consent. However, notification of an updated privacy policy does not equal consent.
  • Paid Consent: The “pay for privacy” concept stems from organizations opting to use a tracking wall wherein they give their users different ways to have their personal data obtained or different ways to opt out of giving consent. Organizations such as the Washington Post give their users options for consent and how their personal data is collected. With a free consent-based option, data subjects can read a limited number of articles each month but must consent to the use of cookies and tracking by the Washington Post and third-parties. With a $60 subscription free option, data subjects have unlimited access to their website and apps on any device but must consent to the use of cookies and tracking by the Washington Post and third-parties. For $90, data subjects have unlimited access to the website and apps on any device and do not have to consent to the use of cookies or tracking. The “pay for privacy” concept seems problematic given that consent under GDPR must be freely given.

What are the Regulatory Developments Since GDPR Enforcement?

Since GDPR was officially enforced on May 25, 2018, there have been various regulatory developments, including:

  • European Data Protection Board (EDPB): The EDPB has replaced the Article 29 Working Party and will now be the source for GDPR guidance.
  • Data Protection Impact Assessments (DPIAs): Each EU member state has established or proposed DPIA requirements, which are a systematic way to identify and minimize risk.
  • Data Subjects Complaints and Breaches: Within the first week of GDPR enforcement, there was a significant increase in complaints and reported breaches compared to pre-GDPR activity.
  • Enforcement of Pre-GDPR Violations: Organizations such as the Gloucestershire Police, British and Foreign Bible Society, and Yahoo have all faced fines and penalties for pre-GDPR violations.

To learn more about consent, privacy policies, regulatory developments, and enforcement of GDPR, download the full webinar. For more information about GDPR compliance, contact us today!