What is Consent
Consent is defined as “any freely given, specific, informed and unambiguous indication of the Data Subject’s(A Living Human Being) wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Need for Consent Management
The need for Consent Management has arisen because of the regulatory and legal compliance made it mandatory to give due importance to the collection and processing of personal data or information of the user by EU GDPR.
The rampant abuse and misuse of the personal data of users by the large business users, Tech Giants, Data Brokers etc has made duly important to enact the Data Privacy laws across the world. The leading organisation that enacted one of the toughest laws to protect the privacy of the individual is GDPR, EU.
The Just a few years back, data-driven marketing was an unmanaged one. Threats arising from third-party cookies’ ability to track, personalise, and retarget users escalated concern regarding misuse of personal information at individual level.
As a result of unrestricted use of personal data of users by businesses, regulatory bodies popped up, introducing strict compliance mandates to control the way businesses harvest and harness data. At the crux, all regulatory bodies mandate businesses to obtain explicit consent from consumers before using their personal information for monetising methods.
Now when non-compliance fines that are running into millions of US Dollors, are making headlines, obtaining user consent for data collection through cookies is more important than ever. Keeping user consent a top-tier priority, to date, more than 100 countries worldwide have enacted data privacy laws.
Across the world various countries have enacted Data Privacy Laws and Regulatory Frameworks so that the rights of the Data Subjects in terms Privacy and Freedom are protected and respected by following the legal and regulatory frameworks.
The most prominent Data Privacy Regulation are from the following
- EU GDPR (European Union, General Data Protection Regulation)
- ICO UK (The Information Commissioners Office, UK)
- CCPA, USA (California Consumer Privacy Act, USA)
- India Draft PDPB 2019.
We have discussed EU GDPR 2016/679 and Draft India PDPB, 2019 for the purpose of bringing clarity to the Consent Management Platforms and its compliance with various Privacy Laws:
EU GDPR 2016/679
As per EU GDPR 2016/679, the following Article 5 define the Principles relating to the processing of personal data and Article 6 define the Lawfulness Processing the Personal Data:
Article 5: Principles Relating to processing of personal data :
Personal Data shall be:
- Processed lawfully, fairly and in a transparent manner in relations to the data subject (Lawfulness, fairness and transparency)
- Collected for specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(I), not be considered to be incompatible with the initial purposes (Purpose Limitation).
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimisation).
- Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed are erased or rectified without delay (Accuracy).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(I) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (Storage Limitation).
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Integrity and Confidentiality).
Article 6 : Lawfulness of Processing :
Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject e.g Income Tax Laws or Tax Laws related to individual…
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedom of the data subject which require protection of personal data, in particular where the data subject is a child.
India Draft Personal Data Protection Bill (PDPB), 2019
The Draft PDPB 2019,has been formulated by the Ministry of Electronics and Information Technology and is currently in draft form, waiting for approval in the Parliament. It has already been tabled in the winter session of Parliament in December 2019. It provides for the protection of the privacy rights of individuals termed as Data Principal, and it serves to establish a Data Protection Authority of India for matters related to safety of the personal data of an individual.
The Draft PDPB 2019 approves a consent valid only if it is free, informed, specific, clear, and capable of being withdrawn. Rules for consent collection and processing are almost identical to EU GDPR.
However, the term Data Principal is used for the living human being whose data is processed after seeking and taking valid consent as per the Draft India PDPB 2019.
Consent-related key points of Draft PDPB, 2019:
- Data fiduciaries–one who determines the purpose and means of the processing of personal data–can process data of the individual only after valid consent as per the Draft India PDPB, 2019 is provided.
- Given explicit consent by an individual, sensitive personal data may be transferred overseas for processing; however, a copy of that data should reside in India, too.
- Right to be forgotten of a data principal prevents the processing of personal data by a fiduciary once consent is withdrawn.
- Explicit parental consent should be obtained for processing sensitive data of children.
- It mentions about Consent Manager who will be registered with the Data Protection Authority of India.
- The draft bill exempts obtaining consent for data processing in a situation if:
- It is in the public interest, like legal proceedings, medical emergencies, etc.
- The data helps a government streamline services and policy formulation.
Consent Management Platform
A consent management platform gathers and segregates users who agree to provide consent for marketing efforts and those who do not. It saves and deletes the data for accepted and denied categories, respectively. For the consented categories, it picks the personal data of the user and drops it in a folder of shared interest, for data processing.
What does a CMP do?
A consent management platform covers the entire life cycle of users on a website, ranging from collecting consent to handling their data-subject request.
As GDPR has set no specific format for accepting consent requests, a cookie banner acts as the industry standard, which covers permission for storing, processing, and sharing personal data.
Consent management should abide by the following principles:
- User’s grant of consent should be a free choice; access to the website can’t depend on obtaining consent for remarketing.
- Consent should be granular, allowing users to selectively decide types of tracking and analytics that apply to their private data.
- Info containing preferred choices is stored in a first-party cookie. If the user deletes browser cookies or visits the website using another device or browser, consent will be requested again.
Maintains a record of personal data
- An identifier for consent (like email address, IP)
- Data consented by the user (and intended purposes for using personal data)
- Timestamp of consent (when it was given, changed, or withdrawn)
- Secure storage; documentation of the obtained consent (as per Data Respecting Subjects’ Rights under GDPR)
- Renewable cycle (expiration date of consent–annually or frequently)
Facilitates a medium to change and move the data
- A CMP should avail options for rectifying, revoking, and erasing the personal data of a user.
- Abiding by the right to data access under GDPR, upon request, the personal data of a data subject must be presented to the specific user in a structured, machine-readable format, which the user keeps the right to transfer to another data controller.
Importance of using a CMP
- It’s a cost-efficient method for data handlers and publishers to stay up-to-date with the evolving privacy sphere, which otherwise maintaining on their own can be challenging. It safeguards against consumer data privacy allegations.
- A consent management platform helps a data handler in maintaining a record of a consent database and responding to audits when required, automating decision making, and transferring data overseas.
- In the backend, a CMP equips data handlers with an admin panel for achieving business-related goals. It centralises the consent data of an organisation and streamlines stakeholders’ access to regularly updated consent data for driving deeper insights.
- A CMP helps a data controller automate the use of scripts for general and special purposes. Conditionally, a data controller can disable and enable the use of tracking tags on web pages, with varying compliances.
- IAM (Identity and access management) permission errors put an organisation vulnerable to a potential data breach. Implementation of consent management keeps IAM permission errors at bay and, therefore, protects against breaches.
Streamline privacy and consumer trust with Consent Management
Consent management is the process of collecting and managing users’ consents for advertising and marketing purposes while complying with consent collection regulations. It goes hand in hand with Identity and Access Management (IAM). Complications associated with identity landscape propels the need for consent management.
Consent management facilitates end-users to opt-in or out-out of cookie categories (preferences, statistics, and marketing) listed on a website and again, revoke consent at a whim. In short, consent management entitles data subjects (users) to anonymize or deanonymize their personal data.
For downloading the latest version of various data privacy laws, kindly visit the Resources page under www.datasecure.ind.in
For demo/presentation of Consent Management Platform solutions, kindly write to us at email@example.com