This is the second blog topic (consent) about the impact of GDPR on Consumer IAM projects, part of a sequel where we will touch on all the important topics for IAM experts interested in the new EU regulations.
Consent is a typical Consumer IAM topic and we have seen good discussions regarding it in the UMA standard (User-Managed Access, Kantara Initiative) and more recently around the new financial Open Banking APIs in PSD2. So it’s not new but it’s generally not a standard feature of an IAM solution. So let’s see what the GDPR has to say about it and why it’s going to remain a significant topic for CIAM going forward.
Consent needs to be given by the individual/consumer (data subject) for the processing of personal data relating to him or her (unless one of the exemptions of article 6 applies). That consent needs to be: “freely given, specific, informed and unambiguously”. Un-what? a difficult word to say: crystal clear. You have to be clear what you are using an individual’s personal data for, the individual needs to be well informed about it and must make their decisions freely. So, no short unclear explanations. Pre-Ticked boxes that need to be un-ticked; also specifically forbidden in the GDPR as this may indicate a preferred choice.
How does this impact IAM systems? well, it does for 100% because storing the data is, defined by the law, “processing”. And as most personal data will be stored in the Users Profile, a key place in a Consumer-IAM system, consent mechanisms need to be present.
When should consent be requested?
First of all, when asked for input of (new) personal data unless one of the exemptions applies (for instance the processing of data “for the performance of a contract”, article 6). Asking for a delivery address for a book that the individual ordered in an online bookstore is fine, but you can only use the information for that purpose and nothing else unless you ask for consent (specifying information and reason) for that. Asking for a phone number in case there is a problem sending the book is fine if you specifically mention that use and leave the choice up to the customer. However, you are not allowed to use the phone number for anything else in the future, so it is better to keep it only for a month (retention) and/or ask consent to store that information for further order tracking as well. For sensitive personal data like biometric data or genetic data, you always have to ask consent (unless one of the exemptions of article 9 applies). This is called “explicit consent” in the law and means that you have to do an affirmative act which can be to check a box to confirm that the data you have just entered will be used for the reason specified. In the case of the address, it was enough to mention at the address box that the address would only be used to send the book, no extra tick-box needed.
Does this also have an impact on social login/registration?
Yes, it does: you will have to ask consent, as you are the Data Controller under the GDPR, and you can not rely on the consent given by a user to Facebook regarding the gathering of information. Also because Facebook does not tell what the purpose of the processing will be which you have to tell during consent according to the GDPR. It becomes even more complex when you take into account that withdrawing consent also means removing the users’ data from your system, as you are no longer allowed ‘to process it’. So you need to keep track of what data you gather from what source if consent has been given (mandatory) and what the purpose was (the scope of use).
Once given, always valid?
No, consumers (data subjects) have the right to revoke their consent at any time, and it must be as easy to withdraw consent as it is to give it. The latter more or less prescribes simple clear web-based consent management as giving consent is often an easy web driven process too.
There are specific limitations that apply when asking consent of children under 16 (or maybe 13 in some countries) which we will cover in a later topic in this GDPR sequel.
It’s also important to note that it is not allowed to offer a service that has a (mandatory) consent on data that is not needed for the service being offered. So you can’t ask, even not with consent, for information that you will not use to offer the actual service and mandate that information. It’s not allowed to ask consent on data you are not going to use or you don’t know if you are in the future or you don’t know for what purpose. Data gathering just for the sake of it or for purposes not yet defined / clear or “future use”, is no longer possible. I think we all know of services that were offered for free, where we did not know how they would use our personal data in the future... Well, they can’t do that unless they want to risk a hefty fine or they must ask your consent for that new or extended use.
Next week we will cover the “Transparency” topic, which is about the obligations of organisations to provide extensive information to individuals about the processing of their personal data.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.