GDPR and Engineering Consent into Privacy by Design
This is going to be quite the challenge for GDPR data processors. Why? Because current browser OEMs have not yet agreed on a standard way to allow the user to indicate consent, revoke consent, or store consent of their data.
Can you imagine the confusion — everybody is going to want to do it their way which will result in confusing user interfaces and even more confusing user experiences. And all the data processor has to do is get it wrong once and they’re liable, facing very expensive penalties.
Let’s dig into consent a little further…
- The user accesses a web site -the web site MUST send a request for consent to the user before any content is loaded. (Or they may decide to load the content and ask for consent at the same time).
- The user has to express their consent – if the user doesn’t consent then the loaded page has to disappear or be replaced by something that doesn’t violate the user’s privacy.
- The data processor now has to store the consent and provide a way for the user to revoke consent at any time
- This MUST be done each time the user accesses the site – why? Because how do you (the data processor) KNOW if the user has changed their mind?
To say that this is a serious undertaking is an understatement. Each individual has to be accommodated in real time. Compliance is mandatory to avoid a fine.
Cloud Services like ConsentCheq are already springing up to solve this problem. Only one problem with this approach — you’re now dependent on somebody else for consent. What if their system goes down or is hacked? What happens to all of your consent data?
Do your users ‘consent’ to their consent data being stored on someone a third parties servers? I can see the debates going on right now. Your own security requirements may mandate that this is not an option. So then you have to build everything yourself.
In closing, let me present another option. What if we put the user in charge of the collection, flow, use and consent of their private data? What if every time they came to your website you knew in real time what they did and did not consent to? What if you didn’t have to store that consent?
What would that look like?
Here’s a screen shot — the screen on the right shows exactly what I consent to in real time and it’s available every time I come to (ONLY) your website. And the really cool thing — you know what I consent to BEFORE you send a response back to me.