GDPR Art. 7: Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
This means, that no more trickery can be used (you agree to something, that can change over time and it’s still binding you) or no more auto-implied consent (you agree to something specific, and they use that consent for anything else) can be used anymore. Let’s see a few of these bad examples, that are NOT-GDPR compliant, and you should NEVER use them again!
A real-life scenario for this would be:
An apple stand visitor walks up to the shop and sees, above the basket of apples, a wall filled with signs. Some of those signs contain information necessary for her purchase, such as price, the method of payment, and delivery details, and are displayed prominently in the centre of the wall. Others she may quickly disregard, including advertisements for other fruit stands. Among them is a sign binding her to additional terms as a condition of her purchase. Has the apple stand owner provided reasonably conspicuous notice?
Let’s see the previous bad examples, after they are GDPR compliant:
- Put the “Register” button right underneath the call-out line so that it is not possible to miss (not see due to scroll).
- Retain the following information in connection with each clickthrough so you can prove you acquired consent properly: who consented, when they consented, what they were told at the time (terms and policies they agreed to), how they consented, and whether they have withdrawn consent (and if so, when).