Consent - Why an audit trail is important

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
on
March 20, 2020

The GDPR and the Danish Marketing Practices Act state that if you can’t prove your consents, then they don’t exist. It is your responsibility to make sure you have consent from your users - you are accountable.

Businesses today are generally online and collecting large amounts of data about their users and customers. Those who can’t document that they have obtained compliant consents are taking a huge risk - as proper documentation is a requirement for compliance. In this blog, you can find out more about the rules for consent, including the data you need to collect and document to ensure compliance, and the consequences if you can’t prove obtained consents.

Installing Segment custom source

There are a number of steps that can be taken to ensure compliance, including mapping out data flows, your processes, and storing your data securely. But one of the most crucial steps you can take to ensure compliance, is to have consents from your users. And if you can’t prove the consents, they don’t exist in the eyes of the data authorities, the law, the GDPR and marketing law regulations. This is important, because without consent evidence - you don’t have the right to access or use the data, or e.g., to nurture your leads. The consequences of not being able to document consent can therefore be costly, which is why documenting consent and having an audit trail is essential.

Which rules apply?

The requirements for obtaining and documenting consent come from different and sometimes overlapping legislation, and are dependent on the different types of consents you need to collect. Some of the consents that you should always obtain and be able to document are as follows:

  • Consent to your Terms & Conditions,
  • Consent to cookies,
  • That you provided your users, clients, employees etc., with
    information about how you process their data (e.g. your privacy policy),
  • Email marketing consent,

As an example, email marketing consent must be obtained from people, before you can send them newsletters and other types of email marketing, i.e. nurture leads, prospects, potential clients, etc.

The rules regulating how to obtain a compliant consent come from the GDPR, the marketing practices Act and guidance from authorities like the ICO (the English data authority), the Danish Consumer Ombudsman and CNIL (the French data authority). Listed below are some of the overall EU rules you need to be aware of, and what they relate to.

EU legislation for ensuring proper consent

LegislationWhat is definedGDPR art 4(11)The definition of consentGDPR 5.2 Accountability GDPR Article 7Consent requirementsGDPR art 30DocumentationRecital 82 in GDPRIn order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.The E-privacy DirectiveCookies rulesThe E-commerce DirectiveRules regarding e-commerce and service providers

These rules should be followed alongside local marketing rules, which are country-specific. In Denmark, companies are obligated to follow the Danish Marketing Practices Act. Article 10 of the Danish Marketing Practices Act covers the rules around email marketing and includes how to ensure compliance in obtaining email marketing consent.

Which data do you need to prove consent?

There are a number of different data points you need to collect to have sufficient consent evidence, these are:

  • The date and time of the specific consent
  • The user’s information given in connection with the consent, e.g. the user’s name, email, IP address etc.
  • What did the user give consent to, more specifically
  • If the user consented to receive email marketing, what was the consent text that the user consented to, e.g. “Yes, I would like to receive email marketing about shoes and clothing from Company A”
  • If the user was informed about your privacy policy, what information did you give the user, e.g. “We process your personal data in accordance with our Privacy Policy (LINK (to privacy policy))”
  • If the user was asked to consent to your Terms & Conditions, what was the wording of the specific consent, e.g. “I hereby accept Company A’s Terms & Conditions”
  • What did the button say when the user signed up, e.g. “yes, sign me up”
  • How did the user give his / her consent, e.g. opt-in, opt-out, implied / implicit etc.
  • What was the specific wording of the terms & conditions that the user consented to or
  • What was the specific wording of the privacy policy that the user was informed about

Additionally with the email marketing consent, you also have to be able to document that you gave them information about how to unsubscribe.

There is a big focus on the wording used in consent forms, including widgets and buttons, as well as the wording in a company's privacy policy and terms and conditions. This is because the consent must be given freely and it must be specific.

Document key data points with Openli

Why it's important to be able to prove your consents

Being a legal requirement in regards to the validity of your consents, the benefits of being able to document your consents are somewhat implicit. We have, in the past two years, started to see the consequences of GDPR, in the form of fines and negative press. Avoiding these are obvious benefits, but there are other risks to not documenting consents. With more opportunities to collect data about our consumers than ever, a database can provide a competitive advantage in marketing and sales. Obtaining these insights and databases require at the very least time and effort, and in some cases money. So imagine if the whole database, along with all the insights suddenly had to be deleted. This is just one consequence a rising number of companies has been met with, after failing to secure proof of consent.

Another consequence businesses have experienced is that the value of a business could also decrease dramatically. Since GDPR came into effect, valuation of businesses by VCs (venture capital) and business angles have also been based on whether a company had the rights to their data, and if they were compliant. And if they weren’t transactions were either stopped or the valuation of the business decreased.

In summary without a compliant consent businesses risk:

  • Negative press
  • Impact on brand value
  • Decrease in valuation
  • Have the rights to your email marketing database
  • Fines

Consent management solutions: documenting consent with Openli’s Audit Trail

One way of documenting consents and ensuring compliance is through consent management solution Openli. With Openli you can track and store given consents and maintain an overview of obtained consents.

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join

Privacy Newsletter

Sign up for a regular dose of news and updates from the legal landscape.