Modern websites are built to bring leads to the business, whether it be individuals setting up an appointment, subscribing to an email newsletter, inquiring about products or services, or purchasing such products or services.
One consequence of bringing in new leads that many businesses don’t think about is that the individuals submit their personal information, such as names, emails, phone numbers, or IP addresses, to the website.
Personal information such as the above is commonly collected by websites and is now regulated under various privacy laws.
In addition to requiring certain websites to have a Privacy Policy, these privacy laws often require businesses to obtain proper consent before collecting such personal information.
This article will discuss the privacy laws that require websites to obtain consent, how such consent can be obtained, and some best practices to ensure that you are gathering proper consent for collecting personal information.
Which privacy laws require websites to consent to collect personal information?
Since personal information is regulated under various privacy laws, the first step in determining whether you need to obtain consent for collecting personal information is to determine whether those privacy laws apply to you.
Privacy laws are unique in the sense that they protect individuals, not businesses.
In addition, due to the broad reach of the Internet (for example, individuals from countries outside of where the company is located can submit their personal information to a website), privacy laws have a comprehensive application.
They can apply to businesses outside of the state or country where the privacy laws have been passed.
The following privacy laws require consent:
- General Data Protection Regulation (GDPR): applies to you if you:
- Have an establishment in the European Union;
- Offer goods or services to European Union residents, regardless of your location;
- Monitor the behavior of European Union residents, regardless of your location.
- The United Kingdom Data Protection Act 2018 (UK DPA): applies to you if you:
- Have an establishment in the United Kingdom;
- Offer goods or services to United Kingdom residents, regardless of your location;
- Monitor the behavior of United Kingdom residents, irrespective of your location.
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use or disclose personal information during commercial activity.
PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the personal information of residents of Canada.
- ePrivacy Directive 2002/58/EC: this applies to you if you track individuals from the European Union through your website through features such as analytics that place cookies or trackers on the visitor’s device.
Suppose any of the above privacy laws apply to you. In that case, you must gather consent before collecting personal information from individuals in the countries listed above.
What is consent?
Concerning privacy laws, consent is generally defined as:
“Any freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal information.”
The proper gathering of consent means meeting all of the above factors before collecting personal information.
If the factors above are not met, then information has been gathered without consent, which can open your business up to privacy-related fines and lawsuits, as well as the potential of regulatory authorities forcing you to delete the personal information that was obtained without proper consent.
How to obtain proper consent
First, for consent to be valid, it must be given freely by the individual. This means the individual must have a real choice as to whether or not to provide you with their personal information.
The following are examples where a free choice was not given to the individual:
- The individual feels compelled to provide their consent;
- Individuals will endure negative consequences if they do not consent;
- Consent is bundled as a part of a non-negotiable Terms of Service (meaning that privacy information or a Privacy Policy cannot be combined with a Terms of Service);
- Individuals are not able to withdraw their consent without negative consequences.
Second, for consent to be valid, it must be specific. This means you must define each purpose for which you will use the personal information.
To obtain granular and specific consent, your Privacy Policy must list each purpose, and the individual must agree to your Privacy Policy.
In addition, you must abide by that list. For example, suppose you currently state that you will process personal information to fulfill orders and respond to inquiries. In that case, you cannot use that information for email marketing until you have updated your Privacy Policy, informed the individual of the change, and obtained their consent for this new purpose.
Third, for consent to be valid, the consent must be informed. This means that the individual must know what they are consenting to.
To meet this requirement, you must ensure that you have a comprehensive and accurate Privacy Policy that contains all of the disclosures required by the privacy laws that apply to you.
You must also ensure that your Privacy Policy accurately fits your business and privacy practices and is updated whenever your practices change and whenever new laws are passed or existing laws are amended.
Obtaining consent in practice
While fully understanding the concepts of consent is crucial, it is also important to determine how consent is obtained on websites.
When it comes to forms such as contact forms, email newsletter sign-up forms, or eCommerce forms, consent is usually obtained by an individual being required to check a box to agree to a Privacy Policy before being able to submit the form.
There are three very important items to remember when gathering consent on forms.
First, the box to agree to a Privacy Policy must be unchecked by default.
Second, the Privacy Policy must be hyperlinked and lead to the Privacy Policy page.
Lastly, the individual must check the box to agree to the Privacy Policy to submit their personal information.
Below is an example of a contact form that meets the requirements for consent:
In addition, below is an example of a marketing choices form that does not meet consent requirements as the box is pre-checked, and individuals are opted in to marketing messages by default and are then required to opt out if they would not like to receive marketing messages:
If you need to obtain consent for cookies on a user’s device, you should know that cookie consent forms are not exempt from the above consent requirements.
This means that cookie consent forms must still give users an actual choice of whether to consent, and non-essential cookies must not be placed on the device until the user has consented.
Below is an example of a compliant cookie consent banner design because it gives users a choice of whether to allow cookies or deny them.
Below is an example of a non-compliant cookie consent banner because it requires users to accept cookies to enter the website and does not provide individuals with an actual choice of whether to accept or reject cookies.
You must obtain the proper consent when collecting personal information through your website via forms, cookies, or other tracking technologies.
Failure to obtain proper consent can lead to privacy-related fines and lawsuits. It can also lead to individuals visiting your website feeling like they have been tricked or forced into providing their information, thereby potentially losing their business.
