Choice and Consent: Key Strategies for Data Privacy

Privacy PowerUp Series #6

Ensuring that individuals have control over their personal information is more critical than ever to consumers today. This article explores the concepts of choice and consent in data protection, providing key insights for privacy professionals.

What is choice and consent in data protection?

Choice and consent are fundamental concepts in data protection, allowing individuals to control how their personal information is collected, used, and disclosed. The requirements vary based on jurisdictions, industries, sectors, types of personal information, and processing activities. Sometimes, consent is even necessary for transferring personal information.

Key considerations for ensuring choice and consent

1. Assessing data processing

Before determining the appropriate choice mechanism, it may be a good idea to assess the data processing activities you plan to undertake.

Some of the examples of the steps you could take are:

• Document data inventory that, among others, could include:
  • Categories of data collected
  • Purposes for use and disclosure
• With data inventory in place, ask questions such as:
  • Do you need sensitive personal information?
  • What jurisdictions and sectors do you operate in?
  • What types of data and purposes for processing?
  • Does your company engage in cross-contextual advertising?

2. Determining choice mechanisms

After assessing your data processing activities, determine the appropriate choice mechanisms to comply with various privacy regulations. Consider the following principles and frameworks:

OECD Principles:

Review the following principles:

• Collection Limitation:
  • Limit personal data collection.
  • Obtain data by lawful and fair means with individual consent where appropriate.
• Use Limitation:
  • Use personal data only for specified purposes.
  • You should not be disclosing or using personal data beyond those purposes unless specified conditions apply.

The OECD principles form the foundation of most privacy regulations.

APEC Cross Border Privacy Rules (CBPR)

For organizations operating in APEC economies, the CBPR principle “Choice” requires providing clear and conspicuous mechanisms for individuals to exercise their choices regarding data collection, use, and disclosure.

Opt-in vs. opt-out consent

There are two primary concepts of choice:

Opt-in consent

Opt-in consent involves an active, affirmative action to indicate a choice. Examples include checkboxes or radio buttons (pre-checked boxes are not acceptable).

Opt-out consent

Opt-out consent allows individuals to unsubscribe or opt-out from certain processing activities. Examples include:

Unsubscribe links for newsletters

Links to opt-out from selling or sharing personal information

Regulatory variations

Different regulations require different types of choice mechanisms. Here are some examples under selected regulations:

• California Consumer Privacy Act (CCPA), among other requirements:
  • Opt-out from selling or sharing personal information
  • Provide a conspicuous link or alternative offline method
• EEA (GDPR and ePrivacy Directive), for example:
  • Different types of choice mechanisms based on legal basis and categories of personal information
  • Cookie consent mechanisms, where applicable
  • The right to object when the data processing has been based on legitimate interest
• Data Privacy Framework:
  • For example, an opt-out choice mechanism for direct marketing, where applicable

Technological means of providing choice

Organizations must ensure that technological means for providing choice are in place. This includes:

Recording choices:

Implement procedures and technical measures to record individual preferences.

Taking appropriate action:

Ensure that appropriate actions are taken when an individual exercises their choice.

Inclusion in privacy notices:

Include disclosures and working mechanisms in your privacy notice.

Options may include an email to the privacy office, a link to a preference manager, or a specific link (e.g., “Do not sell or share” under CCPA).

Special considerations for minors

When collecting or using data of minors, always adhere to local laws and regulations.

Additional considerations

Mechanisms to withdraw consent:

Ensure that individuals can easily withdraw consent when desired.

Form of consent:

Use forms of consent that meet regulatory obligations.

Specific and prescribed purposes:

Obtain specific consent for prescribed purposes.

Cross-jurisdiction data transfers:

Some laws may require consent for transferring data outside of the jurisdiction or mandate data localization.

Increase customer trust with transparency and choice

Choice and consent are pivotal in ensuring data privacy. By understanding and implementing proper mechanisms, organizations can help individuals maintain control over their personal information.

Achieve global consent compliance and provide delightfully simple experiences for users to exercise their data privacy rights and consent preferences while reducing your risk, complexity, and costs.

Discover the #1 consent management platform

Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

Visit us again on October 9, 2024 to read the next article in this series: #7 Managing the Complexities of International Data Transfers and Onward Transfers.

Read more from the Privacy PowerUp Series:

1. Getting Started in Privacy
2. Data Collection, Minimization, Retention, Deletion, and Necessity
3. Data Inventories, Mapping, and Records of Process
4. Understanding Data Subject Rights (Individual Rights) and Their Importance)
5. The Foundation of Privacy Contracting
6. Choice and Consent: Key Strategies for Data Privacy
7. Managing the Complexities of International Data Transfers and Onward Transfers
8. Emerging Technologies in Privacy: AI and Machine Learning for Privacy Professionals
9. Privacy Program Management: Buy-in, Governance, and Hierarchy
10. Managing Privacy Across the Organization