What Defines User Consent?
- An individual’s consent has to be “freely given, specific, informed and unambiguous”.
- Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
- GDPR requires positive action from the individual for consent to be valid.
- The onus is on companies to prove that consent has been obtained lawfully.
Processing Consensual User Data
What? The processing of personal data to ensure that it is no longer directly linked to an individual – by encryption, hashing or ‘tokenisation’.
How? By encryption at the point of collection for non-identifying data (with a randomised cookie ID) enables recognition but not identification of an individual.
Why? The benefits of Pseudonymisation are
(i) increased privacy and security and
(ii) relief from the rights of access, rectification and erasure.
NOTE. Whatever form of pseudonymisation is used, the data should still be regarded as personal data under the GDPR.