User consents - why are they so important and how to collect them?
source: own elaboration
A few years ago, there was a lot of hype around the General Data Protection Regulation known as the GDPR. Today, although many of it’s recommendations are widely known, still not everyone understands the purpose of this and other EU initiatives on the collection, processing and protection of personal data (including in particular the Directive on privacy and electronic communications). One of the most important assumptions of these provisions is the obligation to inform data subjects about what information is collected and processed about them, by whom and for what purpose. In addition, in many cases, it is required to obtain binding, i.e. free, express, informed and unambiguous consent of the user to the processing of his data. What is the purpose of this and how publishers of digital content should collect such consent - we will try to explain in the text below.
What is the purpose of collecting users’ consents?
Bold pop-ups at the entrance to the website have become our everyday life. They invariably irritate, but users have learned to live with them - most often by blindly clicking the „Accept” or „I Agree” button or by mindlessly checking out the boxes necessary to continue browsing the site. Few people realize that by doing this, they are making important decisions about their privacy - allowing third parties to collect and process a lot of data about themselves. Theoretically, they are supposed to inform the user and persuade him to consciously use a given website or application. In practice, unfortunately, information about data processing is read only by few, mainly because it is poorly designed. It is a pity, because they are actually intended to serve both users and owners of websites and applications. For the former, by informing about how a given website or application protects their data, and for the latter it helps to avoid many unpleasant situations, including legal consequences, both on the part of users and business partners.
What should properly collected consent look like?
How the message with a request for consent to use data displayed on a website or application should look like depends on how personal data is used and what the specific website or program earns on. It is also important who the owner of the website works with and the external companies whose services he uses. Therefore, we aren’t able to present an example of universal consent that can be used in every case. However, we can give some pointers on how such consent should be built:
- It must be up-to-date and relevant
- The message itself should be as short, understandable and legible as possible
- Giving consent should require the activity on the part of the user
- It should also take into account your partners and external companies whose services you use
- Must contain information on what to do to withdraw consent
Digital content publishers, i.e. owners of websites and applications, should keep records of user consents. They must at least contain the content of the consent as well as the date and time of its expression. It is on the basis of such archived confirmations that they can collect and process data about their users. The message containing the consent must therefore be up-to-date first of all - it should list all entities to which the data will be made available and explain why this is happening. In addition, it must provide information on to what extent and how the data will be collected (whether via cookies, mobile advertising identifiers or other forms of local data storage). It is therefore necessary to update the window that will appear to the user, each time a new partner is acquired to whom data will be transferred, when the scope of services provided changes, and sometimes even when the publisher of digital content decides to use other tools than those used so far.
The most difficult thing when creating a consent message is to build it so that it is both up-to-date, comprehensive and ... as short as possible. And this is very important because, as research shows, in the case of long information about data processing, users are definitely more likely to leave a given page or check the box with consent without reading its content. So, you can either lose a potential customer or gain one who won’t be aware of what will happen with the data about him. When creating the content of a given consent, we encourage you to list and clearly explain the most important information - such as why, what data and how are collected and processed, while the rest, such as the list of entities to whom the data will be made available, or the address and seat of the relevant data protection officer in the expansion or under the link provided in the consent. This may also make it easier to apply changes in the future.
We should also remember that a given website or application can be used by different people, and there is only one consent message. Therefore, we recommend that it is understandable and legible, and possibly, if the content is published in several languages, that it also has its equivalents in them. The user’s express consent should prove that they understand what will happen with the data concerning them.
The collected consent should be binding, i.e. free, explicit, informed and unambiguous. So, it’s best if the user expresses it himself - for example by selecting specific boxes or possibly by clicking on the appropriate button. We recommend breaking the consent into several smaller ones with different scope - for example, separate consent for personalized and non-personalized ads. Thanks to this, we increase the chances that the user will read specific content before giving consent.
As a responsible publisher of digital content, you should know not only what you do with your user’s data, but also how your partners and external companies with whom you work use them. For example, you can put links to their privacy policies somewhere in the content or explain exactly how they will process your user’s data.
Pursuant to the provisions of the law, withdrawal of consent must be as simple for the user as expressing it. So, make sure that the content of your consent includes information on how to change its scope or withdraw it.
Why is proper consent collection important?
Contrary to appearances, the consents of the users of a given website or application aren’t collected only for marketing purposes, they are also used for statistical purposes, and when properly used, they can significantly improve the operation of a given website or program. After all, they help prevent fraud and abuse. However, all this should take place with the informed consent of users, who are therefore more involved in the operation of the website or application, and which can be very important in the event of unforeseen situations - much less demanding. In extreme cases, when, for example, a case of misuse of data goes to court, properly collected consent can be an extremely strong argument in favor of you and your partners. It is therefore worth spending some time refining the message on the collection and processing of personal data and consents collected on the website or in the application.
