Be careful with hiding everything behind "consent", because consent cannot be a precondition for providing a service. Put differently: if a user does not consent, you cannot refuse them the service if the data you wanted to collect is not strictly necessary to provide the service.
The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)
Quoting GDPR:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." [1]
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]
> consent cannot be a precondition for providing a service
IANAL.
This is more nuanced than it appears, as it is balanced against the firm's right to conduct business.
If you're generating leads by providing a whitepaper, then realistically you're not going to be penalised for saying "you need to consent to receive our newsletter to access this whitepaper".
On the other hand, an airline saying "you can only book a flight on our plane by consenting to us sharing everything we know about you with loads of third parties" would be frowned upon.
Our GDPR lawyer at least has advised not to ask for consent, since it is difficult to establish whether it was given, and has not been withdrawn. It's easier to rely on legitimate business use and NOT ask for consent, as long as it genuinely falls into that category.
I think we agree; it seems better to rely on legitimate interest than ask for consent for everything. (Although it does require thinking about and actually having a legitimate interest.)
It raises interesting question. What if some publisher, say, newspaper, can show highly targeted ads for $3 CPM, or generic ads for $1 CPM.
Can such publisher claim that collecting data is strictly necessary to provide the service? With threefold difference in ad revenue, that could be actually the case.
Good question. This would be an appeal to "legitimate interest" as a legal basis for collecting personal data. GDPR explicitly states that if the legitimate interest is direct marketing, then the user may always object to such processing, and this right must be clearly indicated.
IANAL, but most probably not. When thinking about "strictly necessary to provide the service", one should think in terms of technical feasibility, as in "can the service be technically provided without that data?" not in terms of profitability.
How is "strictly" defined? I'm going to guess it's define as "the magistrate knows it when it sees it", so take to be both "don't use the most egregious interpretation", and "don't be a populist punching bad that governments can make hay out of attacking".
Any data you collect that you do not unambiguously need to provide the service would be an appeal for "legitimate interest" as a legal basis for collecting it. There are a number of things GDPR writes about it and of course you cannot be sure how this will play out in practice, but the main points are:
* it must be reasonable from the user's perspective
* there must be alternative; you cannot achieve the goal (your "legitimate interest") without it
* it must be balanced with the rights of the user, and not infringe on their freedom or fundamental rights
* if your "legitimate interest" is direct marketing, the user can always object, and you are required to actively inform the user of this right
If you can provide a service strictly devoid of the PII it means there is no logical necessity for PII.
You can't provide a call-waiting service without a phone number, but you can provide a mail-redirection service without one even though it makes it easier to administer when you have a customer phone number, you can strictly provide (and bill/administer) the service when that information is absent.
Genuine question - What if the service is defined as the publisher letting you read content in exchange for being shown targeted advertising? That IS the business model of most publishers right?
Right, but that means you have to have some mix of legitimate interests and consent, and makes this whole thing an expensive exercise, both in terms of code and legal time. If you have an ad supported service, this is going to be painful.
The alternative is to only collect data that is strictly necessary to provide the service. In that case GDPR allows you to collect the data even without explicitly given consent – according to GDPR in that case the user can reasonably expect the data to be necessary to provide the service. (This does not apply to sensitive personal data and biometric/genetic data – then you always need consent.)
Quoting GDPR:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement." [1]
"Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." [2]
[1] https://gdpr-info.eu/recitals/no-32/ [2] https://gdpr-info.eu/recitals/no-43/