New and far reaching data protection regulations confront enterprises with new and much more complex requirements to collect explicit consent from their customers before obtaining and processing Personal Identifiable Information (PII). Most notably, the European Union passed the General Data Protection Regulation (GDPR), which will go into effect on May 25, 2018, and which will be the new primary law regulating how companies have to protect the personal data of EU residents. It is one of the most significant and disruptive regulations, and introduces a wide range of complex privacy related requirements impacting organizations at all levels, and regardless of where they are located – any company that collects and handles data of EU residents will have to comply. The EU’s Payment Services Directive (PSD2) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are other examples of regulations that significantly extend the requirements for consent collection.
CONSENT AS A MANDATORY REGULATORY REQUIREMENT
The GDPR (and other regulations in similar fashion) requires a “freely given, specific, informed and unambiguous indication” of consent from an individual prior to processing of his or her personal data and explicit consent for use of sensitive personal data. Consent needs to be provided per purpose, and privacy by design and by default are mandatory and enforceable.
Figure 2: Consent management settings, configuration view
THE END OF BUNDLED, MULTI-PURPOSE, PRE-CHECKED CONSENT
This means that it is no longer possible to collect personal data in a “bundled” way, for example by collecting consent from the user at registration on a digital site, often via pre-checked boxes (“opt-out”) and while requesting a broad range of personal data, following more a multi-purpose approach (collect all data that could you could possibly need) instead of the per-purpose data collection that the GDPR mandates. It is noteworthy that companies can not continue to use customer data obtained through this type of implied consent; in order to continue to market to these customers the GDPR obligates organizations to re-collect consent in a way that complies with the new regulation.
Figure 3: Consent management settings, end-user view
OBTAINING CONSENT THE RIGHT WAY
The Janrain Consent Lifecycle Management application is the newest member of the Janrain Identity Cloud™, and provides businesses the technology to obtain informed consent from their customers progressively per purpose, attribute-based, and in ways that allow compliance with the GDPR or satisfy similarly sophisticated requirements. Janrain Consent Lifecycle Management provides customizable fine-grained consent forms that make it easy and clear for users to understand which attribute groups and purposes they are providing explicit consent towards, and which ones they are not. These consent request forms can be invoked whenever the context requires it and additional consent needs to be obtained: for example, if a new service or product that is offered to the customer requires the collection of additional personal data. The context-based collection of consent can also be used for user-friendly and non-disruptive consent reconfirmation, which allows to convert previously obtained general (not GDPR compliant) consent into explicit consent with traceability and auditability.
TRANSPARENCY, THE RIGHT TO REVOKE, AND AUDITABILITY
End-users can go back to their consent declarations at any time for review, validation, revocation, or other changes; this process resembles the familiar user experience known from setting or revoking access permissions for 3rd party applications on mobile devices or social media sites. In addition to viewing their consent status online, Janrain Consent Lifecycle Management enables end-users to download this information as a PDF document. Similar to how it provides transparency about their consent data to end-users, Janrain Consent Lifecycle Management allows businesses to have all consent-related information on file that is required to satisfy various regulatory and audit requirements by demonstrating that consent was given. To support passing data between systems, Janrain provides clients an API endpoint that respects end-users’ fine-grained consent preferences, allowing for data minimization—taking over only the data needed for stated purpose and consented to share—which is a Privacy by Design best practice.