Opt-In / Opt-Out

For data processors, the choice architecture of consent often comes down to ticking or un-ticking a box. The seemingly small difference between opt-in and opt-out fields has big implications for privacy compliance.

In a nutshell, an opt-in case is when users must proactively consent to a processing activity, and accepting of terms, or some other on-site activity. An opt-out case assumes consent unless the user proactively denies it, most often by de-selecting a box on-site. It’s a small difference in process that can make a big difference in how regulators assess compliance. 

Opting out may not seem like a lot of extra work, but user experience testing shows that pre-selecting consent and making a user de-select is a far more effective tool for gaining consent than opting in. Consequently many regulators don’t believe that opt-out policies represent “meaningful” consent. GDPR effectively bans opt-out as a method of consent by mandating “clear affirmative” action. 

While marketers may fret at the data leveraging foregone due to required opt-in consent, it should be noted that consent is only one of six scenarios in which it is lawful to process data under GDPR. The other five are:

  • A contract with the individual
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

If those terms seem vague, you can read more about the conditions for lawful processing of data under GDPR here


Privacy Policy

Privacy Policies are a ubiquitous part of life on the web, but thanks to recent reform, they’re more prominent to users than in previous times. Around the time of GDPR went into effect, website visitors grew accustomed to “We’ve Updated Our Privacy Policy” pop-ups around every corner. While they may have had a slightly negative impact on the browsing experience, the notification was absolutely necessary. 

That’s because more than ever, company Privacy Policies are an essential forum for demonstrating regulatory compliance, both to the powers-that-be and to consumers. There’s no better place to show visitors to your site that you’re taking their privacy seriously, and under both GDPR and CCPA, Privacy Policies are expected to contain more information than ever. The EU has assembled a useful guide for how to craft compliant Privacy Policies that you can read here. As of the time of writing, CCPA’s “Privacy Notice” requirements are still being debated via a series of amendments to the original bill. But the IAPP recently applied a preliminary CCPA analysis to one app’s Privacy Policy that makes for instructive reading.

Data Mapping

The first step to managing the requirements of privacy-related activities like Data Subject Requests and Minimized Access Control is to understand where your data lives and what information it contains. The most common output of this exercise is a data map, a schema that shows points of data collection, transformation, processing, and retention – essentially a map of a data point’s journey through the organization. 

Although GDPR and CCPA don’t explicitly mandate that organizations produce a data map, it is the most practical way to account for a myriad of requirements including Articles 28, 30, and 35 in GDPR.

Data Mapping is also essential for any business hoping to comply with the CCPA’s “Look Back” Requirement, under which businesses must be able to provide a data record looking back 12 months from the time a consumer requests their information. 

As more territories pass digital privacy laws, it will become essential for companies to maintain granular control over their data map so that they understand what data lives where, and the capabilities they must have in surfacing records by region. In sum, before performing any of the other required activities under GDPR, CCPA, and more, businesses must first build a data map.

DPIA (Data Protection Impact Assessment)

Data Protection Impact Assessments are a key part of privacy best practice. They pose a unique administrative challenge, and so their correct execution signifies a deep commitment to getting privacy right. We wrote here about some of the reasons why they are so tough to do well. In a nutshell, a DPIA is a report that a business should complete when they undertake any processing activity that has risk implications for their user data. 

DPIAs are challenging because they involve close coordination between a variety of business departments – legal, tech, and others – and they require stakeholders in each of those departments to have a detailed understanding of user privacy. Given this difficulty, and given that DPIAs are not “consumer-facing” in the same way as Data Subject Requests, many businesses have opted to take a “managed-risk” approach. They may conduct them manually only for the largest or riskiest operations and skimp on them for day-to-day activities that they deem lower risk. But if they then are forced to account for privacy-related decisions, through audit and complaint, and lack DPIA documentation, they can quickly find themselves without a legal foot to stand on.

DSR (Data Subject Request)

A DSR is one of the most operationally significant aspects of user data privacy under new pieces of legislation like GDPR. Under GDPR any user (ie a civilian in the EU) has the right to formally request access, rectification, or erasure of the data that a company keeps on them. Access to that data must also be shared in a portable format; so for example, a clearly labeled spreadsheet. 

In plain terms, the basic challenge companies face with a DSR is, upon receiving a request, speedily access a comprehensive data record for a certain individual, provide it in a digestible format to the individual, and comply with individual requests to rectify or erase that data. This seemingly straightforward exercise can be a huge challenge for large companies with a disorganized network of data stores and third-party partners. Even the basic task of confidently producing an exhaustive data record can prove elusive.

But the fact remains that managing DSRs is not negotiable in this new era of data privacy. Whether an organization chooses to implement manual or automated processes for dealing with its subject requests, the topic cannot be ignored.