Granularity of consent is a question that repeatedly comes up in my free GDPR Facebook group, so I imagine you too have been confused over how many tick boxes you need for your subscribers, which types of marketing services should be split up with the tick boxes, and whether you even need tick boxes?!
The Article 29 Working Party Guidelines on consent under Regulation 2016/679 goes into a lot of detail about consent as a whole and gives some examples of valid and invalid consent. However, a lot still is not clear.
What is Granularity of Consent?
Granularity (noun) – the scale or level of detail in a set of data.
As we know, GDPR will set a higher standard of consent. As a business owner, and especially in terms of online marketing, you need to be clear about the level of detail you are using a data subject’s personal data FOR.
What granularity of consent means is that it must be clear to your data subject what they are consenting to.
They must have a choice and be in control of what they choose to receive from you (in terms of email marketing). It will not be compliant to bundle the consent up into one tick box to receive everything and anything.
The Working Party Document says:
“A service may involve multiple processing operations for more than one purpose.
In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.
In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.”
“When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.”
What we can translate that into saying is that when your subscribers sign up to your email list, you must let them choose for what purposes you will be contacting them using the data they are giving you (their email address).
Granularity of consent means that if your business is contacting subscribers about different types of services, you should offer them a choice about which service they want to hear about.
An example of this is a preference centre where you can choose the types of information you want to receive from a supermarket – groceries, holidays, clothing, wine club, third party providers.
Or a series of tick boxes at sign up where you can choose which lists you want to be on – men’s fashion, women’s fashion, kid’s fashion.
In the next paragraph, the working party document then provides this specific example:
“Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group.
This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid.
In this case, a specific consent should be collected to send the contact details to commercial partners.”
Therefore, what that tells me is that if you are sending emails about your own business services, which they originally signed up to for generally, then this is still ok.
You don’t need to go down to the absolute nitty gritty about which types of emails you’ll be sending – blog posts, newsletter, promotions – as long as it stays within the realm of the information they signed up for in the first place.
It’s only if you’re using their data for something ELSE that you would need an additional consent tick box.
The flip side of this argument is that too many tick boxes could be a bad thing.
For example, presenting your data subjects with a long list of choices could lead to click fatigue and serve the opposite purpose – they won’t read any of them, they’ll just tick them all, or click away from your site without doing anything.
Granularity of consent is not only restricted to email marketing though. However for the purposes of this blog post, email marketing is all I am referring to, as it is the one that most people are struggling with understanding.
The Working Party document also goes into details about websites (cookies) and other purposes such as behavioural advertising.
In my GDPR pack, there is a Data Processing Inventory that will determine the different purposes and types of processing that you undertake in your business.
There are also seven additional modules of actionable, ordered templates covering exactly what you need to become GDPR compliant.
So to round up, my guidance would be:
- Yes, it is sensible to offer tick boxes for options of marketing – emails, phone, and mail.
- All we know is that it must be granular so that data subjects have choice and control. To what standard, we don’t know as yet.
- The ICO haven't given exact details on every eventuality of how we get consent, but the principle is that consent should not be bundled.
- You shouldn't have one consent covering every processing purpose that you're going to do.
- The more that you can split how you’re processing someone’s personal data down and have separate consents for each purpose of processing, the better.
Don’t forget if you have any additional questions on this subject, please come over to the FREE GDPR For Online Entrepreneurs Facebook Group – do a search first as there have been so many questions, it’s very likely you will find the answer you are looking for.
Alternatively watch my epic 2 hour GDPR Mythbusting Webinar where I run through GDPR, common questions asked and what I suggest you do to become compliant in your small business.
Suzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.
DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.
Data Breaches Happen. How Prepared is your Organization?
Download Suzanne's Dibble's Customizable GDPR Compliance Pack to Protect Your Business!