Working with the GDPR and consent mechanisms in Europe

In this day and age, we hear a lot of people talking about “consent”. Like many other things in life, there are different views of opinion and different takes on the topic. This is only complicated further when working with consent across different countries in Europe. In this blog post, we’ll try to demystify consent to give a better view of :

  • Consent fundamentals and what the law says
  • When do you need to get consent, and what kind of consent do you need to get?
  • How the rules differ across Europe.

Consent fundamentals and what the laws in Europe say?

Consent in Europe is governed by the laws such as GDPR and the ePrivacy Directive, and includes the consent needed for Cookies, Email marketing, Terms and Conditions, Privacy Policy, Terms of Use and other types of legal documents. These laws contain principles and various articles that apply to companies who have website visitors, users, and customers in Europe.

According to Cambridge Dictionary the word “consent” means the state of agreeing with someone or something”. Alternative words often used are permit, approve, or, agree. In the GDPR, the word has legal importance, consent, and how it should be obtained in regards to processing of personal data, is defined in Article 4 in the GDPR:

 “ ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

So in order for a consent to be valid it needs to be freely given, specific, informed and unambiguous. There are requirements you need to be aware of, which include:

  • The word “free” means that the user/customer must have a real choice.
  • Consent must be unambiguous. This means that it requires either a statement or a clear affirmative act, i.e. it can’t be implied and must always be given through an opt-in, a declaration or an active motion. The user must never be in doubt as to whether he/she gave consent or not – and to what.
  • For the consent to be informed and specific, the user must have information about the company’s identity, what data is being collected and processed, what the data will be used for, who it will be shared with and why (so-known as the purposes).
  • But there are no specific requirements in regards to how the consent must be captured. It can be given in writing, in an electronic form etc. In the GDPR there is a principle regarding accountability and a documentation requirement and therefore it’s always recommended that you capture consent in writing or electronically – so you can prove the consents.

Conditions for consent: Article 7 in the GDPR

Another element in the GDPR that is important here is “Article 7”, which outlines the requirements for a data controller to be able to demonstrate that a data subject has given consent to the processing of his or her data. In addition to the above, you must also remember that:

  • the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language
  • The person must be able to withdraw his/her consent at any time. The withdrawal must be as easy as giving consent.

So why is it so important to talk about the GDPR and the law’s definition of consent? The reason is that many other European rules find inspiration in the GDPR or have aligned its definition with the GDPR. One of these laws is the ePrivacy Directive.

Consent and the ePrivacy Directive

The ePrivacy Directive, also known as the EU Cookie Directive regulates the definition of cookies, and their use, as well as other forms of online tracking technology including fingerprinting devices.

A fundamental element of this law is that a person must not store or gain access to information stored in a person’s computer, without specific requirements being met. This includes, that they (a) give clear and comprehensive information about the purpose of the storage of, or access to, that information; and (b) obtain consent from the person to the use of the specific cookies.

As a directive, it serves as a minimum law that people have to adhere to, which means that the different countries in the EU have the freedom to make the requirements stricter than the directive.

When you need to get consent from users and customers online?

There are a number of consents that can be relevant for you to collect online, which depend on what kind of website you have. Is it a webshop? Or maybe it’s more of a branding site? Do you use cookies? And collect personal data from your visitors and customers?

The answer to all these questions are important. However, generally the majority of all websites need the following types of consents:

  • Email marketing consent (see below),
  • Cookie consents,
  • Consent to your Terms & Conditions (T&Cs).

Email marketing consent

Email marketing is an important channel for many businesses. However, sending marketing emails is in general not permitted without getting consent from those you are sending them to.

The rules about who you may send email marketing to are:

  • You can’t send email marketing to people, unless you have been given explicit consent (there are exceptions, see below),
  • You can’t ask for consent via an email,
  • The consent must be explicitly obtained for marketing purposes,
  • A consent is only valid from the time it was obtained,
  • You can send email marketing to existing customers who have bought something from you. But you need to make sure that they can always unsubscribe and you need to remember that you can only send them email marketing about similar goods, e.g. if they have bought sneakers then you can only send marketing emails about shoes

You need to remember that people should always have the option to unsubscribe from marketing emails. It’s also important to remember that the rules might differ – from country to country – if you are sending email marketing to business leads / prospects.

Collecting Cookie consent

Obtaining consent from your users to place cookies can also be a requirement. The first thing you need to find out is whether you use cookies only for necessary purposes or also for non-necessary purposes. The reason is that consent is required for non-necessary cookies but not for necessary cookies.

Necessary cookies are the cookies that you need on your website in order for it to work. e.g., a cookie used to remember what products a user put into their shopping basket.

Non-necessary cookies are e.g., analytical cookies, marketing cookies or preference cookies. A preference cookie is e.g., the user’s language preferences and timezone etc.,.

There are a number of requirements for what you need to do and include on your website to ensure cookie compliance but the most important one is that you can’t place cookies before you have obtained consent from the user for non-necessary cookies.

How you must collect the consent comes from the GDPR – so it needs to be freely given, specific, informed and unambiguous. It’s also important to remember that you must document the cookie consents you obtain.

Here’s an example of a compliant cookie consent banner:

Consent to terms & conditions

If you have a webshop, you also need to have terms & conditions on your website. As your terms & conditions are the contract between you and your customers, it’s an important document. The document, which is legally binding when the customer consents to it, is a way of protecting you and your customer if a dispute or discrepancy were to arise.

To make sure that you can rely on it, you need to get your customers’ consent to it. So how should you draft and obtain such a consent?

Your customers need to actively give consent, which means that you cannot have pre-ticked tick-boxes. At the same time, the language in the consent text needs to be easy to understand and clearly indicate that the customer gives consent or accepts.

Checklist summary

You should always:

  • Make sure that those using your website and signing up for your services or buying things from you have given consent before you track how they use your website.
  • be very mindful of the wording used in the consent text, e.g., that your company name should always be included, and it must be easy to understand
  • There are specific requirements as to how the users are giving their consents, e.g., opt-in must be used in regards to email marketing and T&Cs and
  • Always be able to document your consents.

The different views in Europe about when consent is needed and required.

To give you a better understanding of different views in Europe when it comes to consent, there’s more information about a few selected countries’ approach to consent for email marketing:

Email marketing overview:

 B2CB2BComments
UKOpt-in consentNo consent is requiredB2B rules under PECR do not apply to sole traders and some partnerships who instead have the same protection as under B2C.
Denmark Opt-in consentOpt-in consentSole traders have the same protection as under B2C
NetherlandsOpt-in consentOpt-in consentBased on the Telecommunicatiewet, the same rules for businesses and consumers. There is one exception: when the business provides an email address for marketing emails, such as “salespromotions@companyname.com”, then consent is not required.
Germany Double opt-inDouble opt-inConsent rules apply to business leads. Unsolicited emails to business leads can also cause liability towards the company under the German Civil Code.
FranceOpt-inNo consent is requiredB2B rules under article L.34-5 of the Postal and Electronic Communications Code do not apply to sole traders and some partnerships who will instead have the same protection as under B2C rules.

How a Consent Management Solution can help you keep track of your cookie consent

One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.

Collect and document consent for all cookies used on your site with Legal Monster. Become and stay compliant wherever you do business and whenever the law changes. Our solution detects which cookies you use and collects compliant consents for those.

With Legal Monster, you get a full Audit Trail, so you can prove consents to a data authority if you need to.

Sign up for free

Stine Mangor

Stine Mangor

Founder, CEO at Legal Monster