GDPR using a tick box?
One of the things that confused me when reading the original drafts
of the new regulations was the requirement not to use a tick box to get consent. From a software point of view, I couldn’t figure out how you could get consent in a digital format conveniently, when arranging for a digital signature is so difficult. What it refers to is that the emphasis has to be on the rights of the user to obtain – “clear, unambiguous and informed ” – conditions prior to indicating their consent. From May the 28th 2018 you cannot use a predefined acceptance of terms that the user has to find and then deliberately “untick”. The idea is the client should not be unduly influenced, or guided towards acceptance of conditions where they may not have been fully aware of the consequences, so they must actively do something to indicate that they have understood and agree. (See previous article)
User must actively and knowingly agree.
So the wording needs to be carefully considered and our previous article covers this. The best example of current bad practice I can think of that I meet all the time is when I update software and a stack of other pieces of software are downloaded and installed in the background. Every time I get an Adobe update, Google Chrome or some other toolbar appears on my desktop? I don’t remember actively asking for that and certainly didn’t agree to any terms. After much head scratching I make the connection with last update and, on looking at the download page carefully, I can see, usually at the bottom of the page, a selection of offerings that are “pre ticked”. I would have had to read the page carefully even to spot it, let alone take the time to untick each of the options. So, what the legislation is trying to prevent you from doing is setting acceptance of offers or conditions in such a way that the users have to put in extra effort not to concur or risk making they’re through your T&Cs without really thinking about the full consequences.
Clear consent built into the design.
This is particular relevant for your wording on websites and portals as the whole design of the page should be in line with “Privacy by Design” principles and you need to make sure that the whole experience is geared around your user being fully aware of what they are getting involved in and that you are not burying key conditions such as consent at the bottom of the page. This is another example of the change of emphasis towards the experience to be for the benefit of the user ahead of rather than the organisation.
About the Author
Malcolm Ford has 25 years business experience across all sectors and is now working with companies to help them comply with GDPR regulations.