If you operate an online business, whether via a website, mobile app, or both, your business needs a clear understanding of user consent for their data. As privacy protection laws become increasingly strict, failure to gain proper consent from visitors, customers, and users can lead to both hefty fines and brand distrust.
But there are many different types of consent, all with specific requirements levied by regulatory bodies. Understanding what consent you need and when and how you need to request it can help you build brand loyalty, make better decisions for your business, comply with regulations, and avoid penalties for noncompliance.
Different types of user consent
While there are two main consent models used in privacy regulations around the world, the conditions for valid consent under different data processing circumstances vary more widely. We break down what they are, where they’re relevant, and how to comply with them.
Opt-in vs. opt-out consent
Digital marketers need to obtain valid opt-in consent from users, for functions like subscribing to a newsletter or using their data to personalize ads shown to them. Similarly, users need the option to opt out of data-driven activities, such as unsubscribing from a newsletter or withdrawing from data collection for advertising or analytics.
Along with marketing functions, opt-in and opt-out consent also applies to cookie banners. A consent banner employed for CCPA/CPRA-compliant consent would include an opt-out option, and requires the phrase “Do Not Sell Or Share My Personal Information”. Users can click that link at any time, but companies don’t need to get consent before they start collecting users’ data in most cases. If the user has not explicitly opted out, consent is implied.
A cookie banner that follows an opt-in model would require users to manually click an “Accept” button or similar explicit action to agree to the data collection practices and purposes communicated. This style of banner is mandatory under GDPR law for consent to be valid.
In most cases it is not compliant to prevent users from accessing sites or their features if they decline consent, e.g. with a consent wall that can’t be bypassed, or for them to have a lesser user experience if they don’t consent. Here are tips for creating cookie banners that meet legal requirements.
Informed consent
Informed consent was once predominantly applied in sectors like research, healthcare, and media studies. But it’s becoming increasingly applicable in online data protection and relevant to marketers, especially since the introduction of the General Data Protection Regulation (GDPR) in the European Union.
Informed consent requires users to be informed of the details of digital data collection. Regardless of the consent model, all data privacy laws require that data subjects are provided with information about data collection and use and their rights.
- What data is collected, e.g. name, email address, browsing history, location data, etc.
- How the data is used: the purpose(s) for collecting the data should be specific and transparent, e.g., for personalization, targeted advertising, analytics, etc.
- Potential risks and benefits: users should be aware of potential risks, like data breaches or regulated activities, like targeted marketing, and benefits they might receive from consenting, e.g. more personalized communications and offers
- Control over data: users should be able to clearly understand how they can control their information, such as opting out of some or all data collection, accessing their data, or requesting its correction or deletion.
Informed consent is especially relevant for businesses that are required to comply with the GDPR. Organizations that fail to obtain proper informed consent in the EU can be heavily fined.
Since then, Google has introduced solutions for data privacy protection with tools like Google Consent Mode and updates to its EU user consent policy.
Explicit consent
Explicit consent is clear and unambiguous on the part of the data subject. With informed consent, the individual knows what their data will be used for and what their rights are. With explicit consent, the user must perform a clear, dedicated action to express their acceptance with the request for access to their data.
Examples of this include:
- Opt-in mechanisms, such as ticking a box or clicking a button that says “I Agree” in a cookie banner.
- Detailed permission requests, such as subscribing to marketing emails (especially with double opt-in) or allowing tracking for a map app.
By using explicit consent, not only are you meeting regulatory requirements, but you’re demonstrating respect for data privacy and building stronger trust with your users.
Granular consent
Granular consent involves requesting separate consent for different data processing purposes.
For example, rather than a cookie banner that only gives users the option to “Accept All” for cookies and other trackers in use, website hosts need to offer specific cookie consent options to comply with GDPR, like enabling visitors to say yes to analytics cookies but no to advertising ones, for example.
Users should be presented with clear and user-friendly options to accept or reject data processing, such as banners that allow users to opt-in or opt-out of specific cookies individually, like in the image below.
Implied consent
Unlike explicit consent, implied consent involves assuming consent based on a person’s actions or inactions. An example of this might be a user continuing to browse a website after a cookie banner pops up, and ignoring it. These are sometimes referred to as “browsewrap agreements”.
With a marked shift towards privacy-led marketing and regulatory authorities increasingly prohibiting assuming consent from a user not performing an explicit action, it’s recommended to err on the side of caution against implied consent.
Instead, follow informed and explicit consent best practices, following privacy-led and consent-based marketing principles.
General consent
Unlike granular consent, general consent offers limited control over what data users can agree to or reject.
An example of this could be a general online service agreement where users consent to the Terms of Service, without providing necessary details about the privacy policy and how data is being collected, stored, and processed.
General consent was once fairly commonplace, but it’s becoming increasingly discouraged in favor of granular consent. Consent “bundling” is also not allowed under a number of data privacy laws. Best practices involve separating out different kinds of required information, like in the Terms of Service and privacy policy, as well as having a cookie notice and consent banner for informed and explicit consent management.
Conditional consent
This typically follows a ‘this for that’ approach. Conditional consent can look like companies offering something in exchange for a user’s data. For example, a user accessing a whitepaper or webinar under the condition that the company can send them marketing messages. Or a discount code in exchange for a newsletter signup.
For businesses in the European Union, conditional consent can become convoluted as consent must be “freely given” under the GDPR. This blurs the lines with marketing strategies like gated content. It has generally not been frowned upon to make such offers, but what individuals are giving must be equivalent to what they’re getting, otherwise it looks like a bribe for consent, which is definitely frowned on by data protection authorities.
If you’re considering conditional consent-based marketing, using a consent management platform to follow proper protocol is recommended.
Ongoing and dynamic consent
Ongoing consent, otherwise known as dynamic consent, helps ensure that users have the opportunity to actively manage their data and adjust, update, or withdraw their consent at any point.
Unlike the traditional one-time model of consent, sometimes referred to as a “clickwrap agreement”, a dynamic consent approach is based on a few core factors.
- Continual engagement with users about their preferences.
- Transparency with clear messaging on what is happening with personal data, especially with process updates or changes.
- Options for users to update their preferences, such as the frequency or channels by which they receive messages, as well as information about user rights.
- Preference management tools to offer personalization and encourage zero-party data collection.
Offering dynamic/ongoing consent is a crucial way to build trust with users by improving user experience, and adhering to data privacy laws.
Withdrawable consent
Whether using an opt-in or opt-out consent model, pretty much all data privacy laws require users to be able to withdraw consent at any time, even if their data has been collected and used for some time. Ideally individuals should be able to easily change consent preferences at any time as well, if they don’t want to entirely revoke them. Once the user opts out, data collection and processing must stop as soon as possible, ideally immediately, including processing by third parties working for the main controller.
Here are specific features of withdrawable consent:
- The right to withdraw consent at any point, even if they previously agreed to it, which also includes changing consent preferences under some laws
- Accessible, clear, easy to use functionality for users to withdraw, such as opt-out buttons in settings — it’s not compliant to hide this functionality and privacy laws require that withdrawing or declining consent be as easy as giving it
- Once withdrawn, the organization can no longer use the user’s data for its original purposes and collection of data must cease
The right to withdraw consent is, arguably, one of the most important aspects of data protection. Consider a consent management platform to help manage withdrawal functionality accordingly. Many data privacy laws require companies to maintain proof of consent, which includes user actions over time, like accepting, changing, or later withdrawing it.
Consent requirements under global privacy laws
Many of the world’s modern and comprehensive data privacy laws require opt-in consent, among other requirements. While all EU member states are covered by the GDPR, each country has additional consent requirements. The United States is the biggest market where opt-out consent is the norm, though in that country there is not yet a federal law managing privacy requirements, and in the US data privacy is handled state by state.
Consent requirements under the GDPR
When the GDPR came into effect it created a global standard for consent standards in privacy laws. But what, specifically, does the GDPR require around consent? Here are the key requirements.
Consent requirements under the CCPA
The California Consumer Privacy Act (CCPA) and its expansion with the California Privacy Rights Act (CPRA), applies to for-profit organizations that conduct business in California and meet certain criteria.
The CCPA is generally less strict than the GDPR, especially with regards to consent requirements. Still, like the GDPR, failure to adhere to these criteria can result in serious penalties and damage to consumer trust and brand reputation. Here is a high-level checklist of its requirements.
Consent requirements under the LGPD
Another prominent data protection law is Brazil’s Lei Geral de Proteção de Dados (LGPD), which translates to General Data Protection Law in English. The LGPD was influenced heavily by the GDPR, and has actually expanded its coverage beyond the GDPR in some areas. Here are some of the core requirements for consent under the LGPD.
- Opt-in and explicit
- Free, informed, and unambiguous
- Consent must be given in writing for a specified purpose (which includes electronic means)
How to comply with different types of consent requirements: use a Google-certified CMP
Navigating different types of consent can be overwhelming, especially if you conduct business globally where customer expectations vary regionally and when technology and regulation frequently changes.
For example, business requirements are catching up to regulatory ones for consent. Due to Digital Markets Act (DMA) requirements on Google, for example, publishers and developers using Google AdSense, Ad Manager, or AdMob now require a Google-certified Consent Management Platform integrated with the latest version of Google Consent Mode if they want to retain access to all features of Google services, like personalization and retargeting, across the EU/EEA and UK. Google has also expanded their EU user consent policy to include Switzerland.
To ensure that you’re conducting business in these regions while complying with legal and business requirements, choose a Google-certified consent management platform (CMP) like Usercentrics CMP.
From obtaining compliant consent and better engaging customers to staying up to date with evolving regulations, a CMP like Usercentrics’ simplifies the process and helps to ensure you can both achieve and maintain privacy compliance while getting the data your company needs, and building trust and engagement with customers.