The text in this article may include ControlShift's interpretation of the GDPR and/or interpretations we've heard from other organizations. This article should not be considered legal advice. Please seek independent legal counsel to ensure your compliance with the new regulations.
Background
The GDPR mandates that organizations acquire consent before processing the data of EU Data Subjects. Please note that, in ControlShift's understanding, this compliance area is separate from email or general communications consent. Broadly speaking, communications consent deals with the emails/sms/calls that you use to contact supporters. Data processing consent deals with the initial collection of their data and any ongoing processing, which can include an array of activities.
As with all things GDPR, we've heard a wide range of legal interpretations from our customers around what type of consent is required for compliant data processing. Generally, the two ends of the spectrum are:
- Implicit Consent, which shows the user a consent message above the button a user must press to take action. Organizations using this basis for consent have argued that processing data is intrinsic to the service provided (e.g. signing a petition).
- Explicit Consent, which requires a checkbox to be checked before the user's personal information is accepted by the platform. Organizations using this basis for consent have cited Recital 32 of the GDPR which states "Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data...Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
Guide: |
|
Choosing A Consent Type
Implicit Consent: For organizations planning to use implicit consent, ControlShift allows the organization to set custom EU data processing text, which will be displayed on pages where users are taking action. For example, this text will be included above: a petition's Sign button, the new account page's Sign Up button, and an event's RSVP button (and on other pages where users enter their personal information). To set this text, go to the admin homepage > Settings (under Configure) > Content > Petitions > EU Data Processing Consent Label. Then, send us an email and we'll enable implicit consent for you.
Explicit Consent: For organizations planning to use explicit consent, ControlShift offers an EU GDPR consent checkbox. Depending on the organization's configuration (that is, whether the organization is based in the EU or only sometimes processes EU data subjects' information), we'll either always show the opt-in checkbox or only show it if the user indicates that they live in an EU country. When the checkbox is enabled, users will not be able to take action unless the box is checked.
Please note: as you can see in the example above, it's possible that your organization may have a "join" checkbox, which is separate from the data processing consent box. If it's possible for a logged out user to sign a petition without checking the box, then it's not a GDPR data processing checkbox.
If your organization would like to enable explicit consent, please send us an email. We'll enable the checkbox for you and you'll be able to set the checkbox label's text from the admin homepage > Settings (under Configure) > Content > Petitions > EU Data Processing Consent Label.
Please note: although this piece of content is included in the Petitions subsection of the Content tab, the opt-in checkbox is not just used for petitions. It will also be included on the new account page, event pages, group page, contact messages popup, and anywhere else that asks for personal data.
Tracking a User's Consent History
When a user takes action on the site, we keep a log of what specific language they consented to. This information is included in a few places, including the member page and the signature record.
To view the consent version histories on the signature record page, you can either:
- Go to the appropriate petition > Admin > Signatures > search for the correct email address > Details.
- Go to the org admin homepage > People > search for an email address > go to the member page > find the appropriate signature line > Details.
On this signature Details page we include information about the signature. This page will show whether the user has consented to data processing and the content versions that they consented to – e.g. which versions of the privacy policy, terms of service, and data processing consent label that the user saw and agreed to at the time of their signature.
Clicking the content version links will bring you to the appropriate asset in the Content tab. In the history tab of that piece of content, you'll be able to see the specific text in each version.
You can also track consent version from the member page. To view the consent history from the member page, go to the admin homepage > People > search for an email address > go to the member page.
At the top of this page, we show a history of consent, including which version of the privacy policy, terms of service, and data processing consent label the user saw and agreed to. Clicking the + icon will expand the user's history and show any additional instances of them agreeing to a specific consent version.
If any or all of the privacy policy, terms of service, or data processing consent label has changed since their consent was last given, their member page will reflect that their data processing consent is not current. When a user's consent is out-of-date, we'll prompt the user to re-consent when they take their next action. If the user's consent is up to date, then we'll reflect that on the member page.
In addition to tracking consent opt-ins in the platform, we also include this information in the appropriate API and webhook endpoints. Depending on your organization's technical capacity, you can use these endpoints to track consent outside of ControlShift. More information on our endpoints can be found here: https://developers.controlshiftlabs.com.
Tracking Platform Consent Versions
Admins are able to track how consent versions have changed over time. Each time a change is made to the terms of service, privacy policy, or consent label, a new consent version is created. You can see your platform's history of consent versions at /org/consent_content_versions
.
On this page, admins can also specify an External ID for each consent version. This can help you match your consent version across multiple platforms.
When is data processing consent required for users?
We have various rules that determine whether a user is required to consent to data processing. These rules apply only when the organization has explicit data processing consent enabled. If the organization is not tracking data processing consent, the checkbox will not be shown. If the organization is using implicit data processing consent, the disclaimer will always be shown and automatically accepted.
When an organization has explicit data processing consent enabled and also has the country dropdown enabled, we'll only ask users from EU/EEA/UK to provide consent. Other users will be able to complete their actions without checking the data processing consent box.
Below are common scenarios, and the behavior that will be used for users in the EU/EEA/UK:
When the user is ... and if their data processing consent is... |
Is the data processing consent checkbox shown: | Is new consent required to complete the action: |
When the user is unknown and has never taken action on ControlShift before |
Yes | Yes |
When signed in to a ControlShift user account | ||
if consent is current | Yes | No |
if consent has never been granted or is out of date | Yes | Yes |
When a recently signed ControlShift cookie is set | ||
if consent is current | Yes | No |
if consent has never been granted or is out of date | Yes | Yes* |
When taking action with an email address that has taken action before on ControlShift | ||
if consent is current | Yes | No |
if consent has never been granted or is out of date | Yes | Yes |
When a cookie or URL parameter from a supported CRM has been set | ||
if consent is current | Yes | No |
if consent has never been granted or is out of date | Yes | Yes |
* this scenario would only happen if the user signed a campaign, was cookied, and then the data processing consent text was updated before the user signed another campaign.
We also check if data processing consent is current or needs to be updated for the following cases:
- When resetting the password
- When activating the account
- When filling missing info
The GDPR has numerous requirements and hefty fines for non-compliance. The information included here is not legal advice, and we strongly recommend that all organizations using ControlShift seek legal counsel to ensure that they comply with the GDPR and all relevant laws.
Comments
0 comments
Please sign in to leave a comment.