We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

GDPR: Web forms and consent

Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation’s requirements for positive, recorded consent.

First step, as with anything under the GDPR, it to think about which information is really necessary to provide the service, rather than optional. Will the service actually break if I tell it I’m a seventeen-year-old wizard called Harry Potter? If not, that information isn’t necessary and consent is the right basis for processing it. The remaining fields should be documented, and processed, under one of the Regulation’s “necessary for…” clauses: most likely “necessary for the performance of a contract”.

For the other, optional, fields, where consent is the appropriate basis, the Regulation requires that this be a positive choice by the user, that providing the information not be a condition of providing the service, that the user’s choice be recorded, and that it be as easy for the user to withdraw consent as to provide it in the first place. Where a field is populated using a drop-down list, that could be as simple as providing a “prefer not to say” option and making that the default. If something else appears in the user’s submission, you know that’s a result of them having made a positive choice to change the default. Similarly for free-text entry, the form field should be empty by default, with the user allowed to leave it that way.

This means consent to processing data from any of those fields is both positive and not a condition of providing the service. For the documentation requirement you need to record when the information was provided. To ensure you know what each user consented to, you need to keep a record of all changes to information provided on the input form and your published privacy policy. And you need a “manage my account” form that allows users to change their information and set any optional fields (and the database behind them) back to “prefer not to say”.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *