Modern websites are built to bring leads to the business, whether it be individuals setting up an appointment, subscribing to an email newsletter, inquiring about products or services, or purchasing such products or services.
One consequence of bringing in new leads that many businesses don’t think about is that the individuals submit their personal information, such as names, emails, phone numbers, or IP addresses, to the website.
Personal information such as the above is commonly collected by websites and is now regulated under various privacy laws.
This article will discuss the privacy laws that require websites to obtain consent, how such consent can be obtained, and some best practices to ensure that you are gathering proper consent for collecting personal information.
Which privacy laws require websites to consent to collect personal information?
Since personal information is regulated under various privacy laws, the first step in determining whether you need to obtain consent for collecting personal information is to determine whether those privacy laws apply to you.
Privacy laws are unique in the sense that they protect individuals, not businesses.
In addition, due to the broad reach of the Internet (for example, individuals from countries outside of where the company is located can submit their personal information to a website), privacy laws have a comprehensive application.
They can apply to businesses outside of the state or country where the privacy laws have been passed.
The following privacy laws require consent:
- General Data Protection Regulation (GDPR): applies to you if you:
- Have an establishment in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location.
- The United Kingdom Data Protection Act 2018 (UK DPA): applies to you if you:
- Have an establishment in the United Kingdom;
- Offer goods or services to United Kingdom residents, regardless of your location;
- Monitor the behavior of United Kingdom residents, irrespective of your location.
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use or disclose personal information during commercial activity.
PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the personal information of residents of Canada.
- ePrivacy Directive 2002/58/EC: this applies to you if you track individuals from the European Union through your website through features such as analytics that place cookies or trackers on the visitor’s device.
Suppose any of the above privacy laws apply to you. In that case, you must gather consent before collecting personal information from individuals in the countries listed above.
What is consent?
Concerning privacy laws, consent is generally defined as:
“Any freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal information.”
The proper gathering of consent means meeting all of the above factors before collecting personal information.
If the factors above are not met, then information has been gathered without consent, which can open your business up to privacy-related fines and lawsuits, as well as the potential of regulatory authorities forcing you to delete the personal information that was obtained without proper consent.
How to obtain proper consent
First, for consent to be valid, it must be given freely by the individual. This means the individual must have a real choice as to whether or not to provide you with their personal information.
The following are examples where a free choice was not given to the individual:
- The individual feels compelled to provide their consent;
- Individuals will endure negative consequences if they do not consent;
- Individuals are not able to withdraw their consent without negative consequences.
Second, for consent to be valid, it must be specific. This means you must define each purpose for which you will use the personal information.
Third, for consent to be valid, the consent must be informed. This means that the individual must know what they are consenting to.
Obtaining consent in practice
While fully understanding the concepts of consent is crucial, it is also important to determine how consent is obtained on websites.
There are three very important items to remember when gathering consent on forms.
Below is an example of a contact form that meets the requirements for consent:
In addition, below is an example of a marketing choices form that does not meet consent requirements as the box is pre-checked, and individuals are opted in to marketing messages by default and are then required to opt out if they would not like to receive marketing messages:
If you need to obtain consent for cookies on a user’s device, you should know that cookie consent forms are not exempt from the above consent requirements.
This means that cookie consent forms must still give users an actual choice of whether to consent, and non-essential cookies must not be placed on the device until the user has consented.
Below is an example of a compliant cookie consent banner design because it gives users a choice of whether to allow cookies or deny them.
Below is an example of a non-compliant cookie consent banner because it requires users to accept cookies to enter the website and does not provide individuals with an actual choice of whether to accept or reject cookies.
You must obtain the proper consent when collecting personal information through your website via forms, cookies, or other tracking technologies.
Failure to obtain proper consent can lead to privacy-related fines and lawsuits. It can also lead to individuals visiting your website feeling like they have been tricked or forced into providing their information, thereby potentially losing their business.