09th Mar 2018 –
So, the good news is….they got third parties right.
(c ) his religious beliefs or other beliefs of a similar nature,
As we mentioned, if we’re talking about GDPR-approved consent—this fails. Pre-checked boxes are a “no.”
It’s time to play, is this GDPR compliant?
1.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
2.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
3.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
4.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
5.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
6.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
7.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
8.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information
9.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
10.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
11.
- This is compliant.
- This isn’t compliant.
- Hmm…we need more information.
Answer Key
- B
- B
- B
- A
- B
- B
- A
- B
- A
- C
- C
If you got…11 out of 11
Not “I legitimately thought they were interested so…I sent them a bunch of emails without consent” cases.
But don’t get excited. Processing data because of perceived “legitimate interests” is tricky.
If you got…anything less than 11 out of 11.
Of course, it seems legitimate to you, that they ask for data on your fitness. Plus there’s an accessible privacy policy and terms of conditions statement there if you want to know how that data is used.
And it sure seems you know your way around processing personal data (unless you guessed)—be it for cookies, or emails, or sensitive data.
Miss one? Guess a few times? Need a reminder? Here’s a quick breakdown.
1. B
First off, it’s asking to collect a lot of information that isn’t necessary for getting the data subject to their goal (aka: sending them the PDF they’re signing up to receive). This goes against the GDPR requirement of data minimization, or “privacy by design.” The best practice here is: if you’re collecting information, and it’s not clear why you’re collecting it, you should be making that known to your users.
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
Welp. We get it. This stuff is hard.
But there are additional processing conditions we have to follow, if this is “sensitive personal data.”
When GDPR is instated, this should fly.
2. B
Basically: they should know everything you’re doing with that data. And they should tell you clearly they’re okay with it—with an affirmative action.
Now you couldddd make the argument that they don’t NEED to collect a company name, or phone number, here. So, adapting for privacy by design, those fields should be omitted.
Sensitive personal data means personal data consisting of information as to –
This condition is more for “I needed to process their account number to perform fraud prevention services” situations.
Weekly emails?
3. B
ANOTHER FUN TWIST ON THIS ONE.
So we’ll give ‘em a pass.
They got unbundled consent right.
But one things that seems to give people the go ahead has to do with the data for existing customers.
4. A
Here’s the line in the legislation they’re talking about:
This means just clicking a “Sign Me Up” Button isn’t good enough.
A common mistake is to ask for consent to send materials, but to forget to separate the “how.”
Facebook offers a great example of how to do this right:
Hey look it’s that example you may have seen around the internet!
But considering your user goal here is to test run a CRM, and you know, manage client relationships for their company—it makes sense that the SuperOffice would want to know who that company is.
5. B
And for a final flourish, it let’s you expand and select which cookies you’re okay, and not okay with.
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters (…)” – Article 7(2)
(b) his political opinions,
6. B
And as you remember—personal data requires active, unambiguous, specific, yada yada yada consent.
So, kind of a trick question.
Guess which one this is.
7. A
“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” –Recital 47
(g) the commission or alleged commission by him of any offence, or
I’m going to admit to you right now, this is not the best example. So it was kind of a cruel question, and it is kind of a stretch. (There’s a complicated discussion happening right now as to at what point someone’s weight counts as health data from a data privacy standpoint, if you’re interested).
Until that second checkbox and the mention of third parties.
Because in case this weren’t tricky enough, consent is not the only way to lawfully process personal data.
8. B
So, if I buy a shirt—would I reasonably expect that I’ll get an email confirming my purchase? (Without explicitly consenting to receive emails?).
GDPR says you need a statement that would “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer” (Directive 95/46/EC, Article 29).
Hey no this one is pretty good!
Under GDPR, any third party you want to share your data with must be named. “Trusted third parties” is not clear enough. Categories don’t work. If someone is going to opt-in to hearing from third parties, they have to know exactly who those parties are.
Or, as the ICO breaks it down:
9. A
Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – Article 4
But if we’re asking ourselves “Does Lancome have the right to email this person?”—we have a few more things to evaluate.
Cookies, with unique identifiers, are personal data under GDPR.
So, attending an event? That’s a clear “different purpose” than a monthly newsletter. Consent has to be asked separately.
10. C
Titles, and accolades, and badges aren’t important. But GDPR compliance very much is.
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them” – Recital 32
Congrats! You’re a GDPR superstar…or something.
The key here is something called “bundling”—which isn’t allowed under GDPR. Here are a couple different citations that give this a “no.”
SO, if this is sensitive personal data—just throwing your privacy policy, and terms of service, in small print after the form isn’t enough. You’d have to make sure people had a chance to read it, and then checked a box or clicked a button that says “I agree.”
Some tell you whether or not the Data Protection Authority has the legal right to fine your company for millions of dollars.
Yeah, you’ve got a pretty good case legitimate interest applies here.
“I just meant to click the “next” button. I didn’t even see that checkbox. Now I’m on your email list?”—is never a thing your users should think.
So let’s say this app collects what, for sure, counts as data about a subjects “physical or mental health or condition.” It asks about prior medical conditions, it logs your weight and blood pressure, or sleep patterns, over time.
(a) the racial or ethnic origin of the data subject,
This does everything number 8 did wrongly, right.
Some quizzes tell you whether your personality is more a “spring” or an “autumn.”
They. were so. close.
(This is a big, complicated, messy subject—that has to do with the intersection of GDPR and ePrivacy. You can read more about it here).
If you’re wondering why I got irrationally excited about this example—this is something a lot of forms screw up.
(e) his physical or mental health or condition,
(From a marketing standpoint, though—you haven’t given your users much of a reason to opt in or not. Maybe a better explanation of the benefit of your site’s cookies, might help in that endeavor).
And the app tracks your fitness.
That doesn’t sound like affirmative, active consent to me.
11. C
GDPR outlines a separate category of data called “sensitive personal data.” And the processing requirements are different for this type of information.
10/10.
Woolworth NAILS granular opt-in.
So a reminder: if you want to send texts, you need specific consent to send texts. If you want to send emails, you need separate, specific, consent to send emails.
Also, check out how pretty and segmented and unchecked those boxes are. They’re asking for an explicit opt into their privacy policy. They’ve asked for separate, active consent.
It tells you exactly what those cookies are used for. And then it gives you a clear option to accept, or not accept them.
You might want to keep reading….
It’s slightly less egregious bundling than the prior example. Here, by agreeing to receive the PDF, you’re at least giving consent to receive content. An email list subscription and a download, in this respect, are of a similar “purpose.” Still—phrased as it is, you’d be hard pressed to frame them as “the same.” So consent should be given separately.
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
You’re going to get contacted unless you check “no.”
This suggests that the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.
Your case is getting a little thinner.
Plus, this example, again, is bundling.
Nope, non-compliant.
So pat yourself on the back. Share your wisdom. Ready your coworkers. And reread the explanations below, if there’s anything you’re unsure of.
A moment of silence for the soft opt-in, for GDPR has killed it.
- Legitimate interests no longer counts as processing condition.
- If you choose to process based on the condition of consent, it doesn’t just have to be “unambiguous” anymore—it has to be “explicit.”
Paperrrrr thin.
Clear, affirmative, action. Keep those boxes blank.
(f) his sexual life,
Here’s what GDPR says on processing consent, to make it official:
AND THEN, once people know allllllll of that—you need to solicit an explicit action from them. Like, ticking a box that says “I agree” or “I consent.”
To be honest, past your standard order confirmations, we wouldn’t risk it. Asking for the consent (properly!), is the safest way to ensure your bases are covered.
What about a notice that there’s a huge discount next week on a similar product?