Consent Management with GDPR in mind

Posted by Corné van Rooij, iWelcome,

As we all know, GDPR will have a big impact on Consumer IAM projects. One of the typical Consumer IAM topics is consent. We have seen good discussions regarding it in the UMA standard (User-Managed Access, Kantara Initiative) and more recently around the new financial Open Banking API’s in PSD2. So it’s not new but it’s generally not a standard feature of an IAM solution. So let’s see what the GDPR has to say about it and why it’s going to remain a significant topic for Consumer IAM going forward.

Consent needs to be given by the individual / consumer (data subject) for the processing of personal data relating to him or her (unless one of the exemptions of article 6 applies). That consent needs to be: “freely given, specific, informed and unambiguously”. Un-what? a difficult word to say: crystal clear. You have to be clear what you are using an individual’s personal data for, the individual needs to be well informed about it and must make his or her decisions freely. So, no short unclear explanations. Pre-Ticked boxes that need to be un-ticked; also specifically forbidden in the GDPR as this may indicate a preferred choice.

How does this impact IAM systems? Well it does for 100%, as storing the data is, defined by the law, “processing”. And as most personal data will be stored in the Users Profile, a key place in a Consumer-IAM system, consent mechanisms need to be present.

When should consent be requested?

First of all, when asked for input of (new) personal data, unless one of the exemptions applies (for instance the processing of data “for the performance of a contract”, article 6). Asking for a delivery address for a book that the individual ordered in an online bookstore is fine, but you can only use the information for that particular purpose unless you ask for consent (specifying information and reason) for that. Asking for a phone number in case there is a problem sending the book is fine, as long as you specifically mention that use and leave the choice up to the customer. However, you are not allowed to use the phone number for anything else in the future, so it is better to keep it only for a month (retention) and/or ask consent to store that information for further order tracking as well. For sensitive personal data like biometric data or genetic data, you always have to ask consent (unless one of the exemptions of article 9 applies). This is called “explicit consent” in the law and means that you have to do an affirmative act. For example checking a box to confirm that the data you have just entered will be used for the reason specified. In the case of the address, it would be enough to mention at the address box that the address would only be used to send the book, no extra tick-box needed.

Does this also have an impact on social login / registration?

Yes, it does: you will have to ask consent, as you are the Data Controller under the GDPR, and you can not rely on the consent given by a user to Facebook regarding the gathering of information. Also because Facebook does not tell what the purpose of the processing will be, which you have to tell during consent according to the GDPR. It becomes even more complex when you take into account that withdrawing consent also means removing the users’ data from your system, as you are no longer allowed ‘to process it’. So you need to keep track of what data you gather from what source, if consent has been given (mandatory) and what the purpose was (the scope of use).

Once given, always valid?

No, consumers (data subjects) have the right to revoke their consent at any time, and it must be as easy to withdraw consent as it is to give it. The latter more or less prescribes simple clear web-based consent management as giving consent is often an easy web driven process too.

There are specific limitations that apply when asking consent of children under 16 (or maybe 13 in some countries), the parental consent.

It’s also important to note that it is not allowed to offer a service that has a (mandatory) consent on data that is not needed for the service being offered. So you can’t ask, even not with consent, for information that you will not use to offer the actual service, and mandate that information. It’s not allowed to ask consent on data you are not going to use. Data gathering just for the sake of it or for purposes not yet defined / clear or “future use”, is no longer possible. I think we all know of services that were offered for free, where we did not know how data processors were going to use our personal data in the future… Well, they can’t do that anymore, unless they want to risk a big fine. The only other option is asking your consent for every new or extended use.

The GDPR in all official European languages can be found here: