1. News
July 6, 2018

Companies are failing to make terms of GDPR consent clear

By Robert Scammell

Many companies are not making it clear what they plan to do with users’ data when obtaining GDPR consent, according to the managing director of a customer profile and identity management software provider.

Under the General Data Protection Regulation (GDPR), individuals must give active consent to companies wishing to use their data.

Failure to comply could see businesses fined €20m or 4% of global annual turnover — whichever is higher.

For larger organisations, this could result in some eye-watering penalties.

However, research by the BBC has found some of the language used in privacy policies requires a university education to be understood, raising fears that children may be agreeing to terms they can’t comprehend.

According to the Information Commissioner’s Office (ICO), the public body responsible for enforcing GDPR, “Explicit consent requires a very clear and specific statement of consent.”

Janrain’s managing director for Europe, Mayur Upadhyaya, warned that there is a “real issue” when it comes to collecting consent.

He said that consent is typically bundled into very large terms and conditions that are often meaningless to the end user.

Some terms and policies can take almost an hour to read, with Spotify’s combined policies totalling 13,000 words.

GDPR consent should be in context

One way that companies could ensure the terms of consent clear is to ask for “consent in context”, which Upadhyaya described as “meaningful to the end user”.

A mobile app, for example, could ask “could we please use your location to personalise your experience?”

“Asked in this way, requesting this access is both meaningful and consumable,” said Upadhyaya.

There have been concerns that customers will start to lose trust if proper attention is not given to their privacy.

A recent survey by Janrain found that 57% of respondents were more concerned about data privacy since the Cambridge Analytica scandal.

“Tech giants obfuscating their intent like this will continue to erode consumer confidence,” said Upadhyaya.

Public bodies have also come under fire, with a privacy group accusing Her Majesty’s Customs & Revenue (HMRC) of breaching GDPR after it emerged it has been collecting the voice print of taxpayers without their permission.