Whenever a data subject is about to submit their personal information the data controller (usually a company) has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Previously, under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However that will change under the GDPR which requires the data subject to signal agreement by “a statement or a clear affirmative action.”
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt in is becoming more important in the future.