GDPR consent lifecycle: collection, custody and withdrawal (cancellation)

Consent is a fundamental pillar in the management of personal data, especially in the context of the General Data Protection Regulation (GDPR), as we have discussed in previous articles in this series.

Article 4.11 of the GDPR defines it as follows: “consent of the data subject”: means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her.

In other words, the consent given must be free, specific, informed and unequivocal.

Next, we explore the three key phases of the consent lifecycle: collection, custody and withdrawal.

The collection of consent, as we have indicated above, must be a free, specific, informed and unambiguous action. And it will be up to the controller to demonstrate that the data subject consented to the processing of the data. This means, among other things, that data controllers (i.e. both natural and legal persons) must safeguard the collection of consent.

Regarding the manner of obtaining consent, the entities responsible for the processing will have to offer multiple channels for users to give their consent. In other words, they will adapt to the preferences and needs of the persons concerned. Some common channels are:

• Web forms: allow users to give their consent by completing them online.
• E-mail: through e-mail marketing campaigns, where explicit consent is requested.
• SMS / WhatsApp: text messages requesting users’ consent.
• Mobile applications: the application is carried out from a mobile APP.
• Face-to-face: through physical forms that users can sign in person.

The regulation establishes as mandatory that the consent must be explicit, informed and freely given. Furthermore, it must be specific for each purpose of data processing. This means that it is not valid to collect a single consent for a multitude of purposes, but that each purpose requires a specific consent.

Once obtained, the consent must be securely stored and accessible by the data controller. This implies:

• Secure storage: consents will be stored in secure systems that protect the information against unauthorized access and security breaches.
• Traceability: it is essential to keep a detailed record of when, how and for what purpose consent was obtained. This includes, at a minimum, the date, the channel used and the specific purpose.
• Accessibility: records must be easily consultable in subsequent reviews or audits. This is essential to demonstrate compliance with the GDPR in case of inspections or litigation.

Article 7.3 of the GDPR gives individuals the right to withdraw their consent at any time, and requires that it be as easy to give consent as it is to cancel it. Organizations need to build this process in a way that is convenient and free of charge. The design will include:

• Multiple withdrawal channels: multiple channels for users to withdraw their consent, such as web forms, emails, SMS or mobile applications, among other possibilities.
• Confirmation: after withdrawal, the organization has to issue a confirmation and cease any data processing based on that consent.
• Updating records: it is critical that consent records are updated to reflect the withdrawal and to ensure that user data is no longer used for the purposes previously consented to.

Withdrawal of consent will not affect the processing carried out on the basis of consent prior to its withdrawal.

Cookies are text files that websites send to the browser to store information about a user’s visit. This allows websites to remember user preferences and provide a more personalized experience. In order to be activated, the user must give their consent.

The Law of Information Society Services and Electronic Commerce (LSSI) regulates the use of cookies in Spain.

Although it does not mention them directly, Article 22.2 of the LSSI states: “Service providers may use data storage and retrieval devices on users’ terminal equipment, provided that they have obtained their consent after providing clear and complete information about their use”.

These are the most important points of the LSSI regarding the regulation of cookies:

1. Duty to inform: companies have to inform in a clear and understandable way about the use of cookies: their purpose, duration and who owns them, especially if they are from third parties.
2. Obtaining consent: before installing cookies on the user’s device, companies must obtain the user’s explicit consent as indicated in Article 7 of the GDPR. This is usually done by means of banners or pop-ups requesting acceptance.
3. Exceptions: some cookies, such as technical cookies, which are necessary for navigation or to provide a service requested by the user, are exempt from the obligation to obtain consent.

Most websites, applications and online platforms use these small code files to improve the browsing experience and/or to collect different types of personal information from users. It is therefore important to follow the following steps for the correct management of consent:

1. Transparency: clear information to users about what cookies are, how they are used and for what purpose. This should include an accessible and understandable policy.
2. Explicit consent: obtain explicit consent from users before using cookies that are not strictly necessary for the operation of the website.
3. Configuration options: provide users with the option to accept or reject different types of cookies, such as performance, functional or advertising cookies.
4. Record of consent: keep a record of the consent given by users including the date, time and type of cookies accepted.
5. Revocation of consent: allow users to revoke their consent at any time and provide clear instructions on how to do so.
6. Updating the cookie policy: periodically review and update the cookie policy to reflect any changes in its use or applicable regulations, among other issues.

The Spanish Data Protection Agency (AEPD) publishes additional guidelines and directives on the use of cookies to ensure compliance with the regulations, and even uses some examples of how some of the above points should be carried out.

Advertising opt-out lists are voluntary systems in which individuals can register to avoid receiving unwanted commercial communications from companies with which there is no contractual relationship.

There are currently two advertising exclusion lists: the Robinson List and the Stop Advertising List (newly created).

The companies that carry out commercial actions must exclude those persons who have registered in any of the two lists, that is, in those cases in which the person has consented not to receive this type of communications. They may contact those who are not registered. Consent must be obtained in accordance with article 7 of the RGPD (free, specific, informed and unequivocal), in addition to being given through a channel that allows a record of its collection.

However, anyone who has signed up for an advertising opt-out list may receive advertising from a company if he or she is a customer or if he or she has previously given his or her explicit consent. For example, by making a purchase from a company and agreeing to receive information about similar products, that company may send commercial communications even if the user has signed up for one of these opt-out lists.

Effective consent lifecycle management is essential to comply with data protection regulations, avoid fines, reputational risks and maintain user trust. The consent lifecycle includes multi-channel collection, secure storage and easy opt-out. And transparency and regulatory compliance must be ensured at every stage.

For all these reasons, companies need to have improved and mature consent management processes in place and to rely on technology solutions, such as MailComms Group’s, to help them manage the entire process, ensure compliance and avoid penalties.

And for this compliance, it is very helpful to have a qualified and trusted e-service qualified and trustworthy electronic service provider, such as ours. In addition, we are certified in the main information security and privacy regulations, such as: ISO/IEC 27001 and ISO/IEC 27701, to which we add our accreditation in the high level category in the National Security Scheme.

If you would like to learn about one of the most robust consent management systems on the market, we invite you to contact us.