Ask someone on the street to explain what a consent receipt is and the chances are they won’t be able to. Yet recent shifts in legislation on data collection mean that both consumers and companies will increasingly encounter digital receipts when submitting or processing personal data.
Simply put, a consent receipt is a proof document that an individual receives each time they give or withdraw consent to process their personal data.
Whether setting up an Instagram account or buying concerts tickets online, users are almost always required to submit personal details to a private company. A business can then use this information for several purposes, including to deliver products, improve customer service, marketing, and much more.
Consent receipts provide proof that an individual has allowed a company to store and/or use their personal data in a certain way. The receipts, which are time-stamped and encrypted, come in the form of a brief document stating the essential details of the transaction, just like a physical receipt a customer receives when buying an item in a store. They also specify the reason for collecting the data, type of data collected and information about data processors and partners that have access to the user’s data.
But why should a company care?
As data breaches have become more common, concerns have grown over online privacy and data storage. Businesses now need to change the way they address personal data to respond to regulatory challenges, and consent receipts provide them with a means of proving their compliance to new rules for the collection and use of personal data.
In May 2018, the EU enforced a new privacy regulation called the General Data Protection Regulation (GDPR), introducing dramatic shifts in the way businesses collect, store and use customer data. When storing or using an individual's personal data, implied consent is no longer sufficient.
Now, companies must be able to prove that they received explicit consent from users allowing them to use their personal data for a certain purpose, for example receiving marketing content from partner organisations or being signed up to mailing lists. Additionally, an individual must have the right to withdraw their consent at any time. If someone objects to a particular use of their personal data, a businesses must also be able to prove when and how an individual consented to the use in question.
Failure to comply is costly. Under the GDPR, non-compliance can cost a company up to 4% of its annual global revenue, or €20 million, depending on which sum is greater.
In short, the new legislation does wonders to empower the individual buts leaves companies with more work to do to ensure the transparent collection and processing of customer data.
This is where consent receipts can lend companies a helping hand. Companies should – and will – have to generate these legally binding receipts, though there is little implementation right now and few companies have developed robust strategies for managing their personal data banks.
To help companies prove compliance with respect to user consent, we’ve designed our own consent receipts that are generated whenever a user performs a consent action. The receipt captures the purpose and type of data collection, as well as information regarding data processors and partners that have access the user’s data, so that consent can be passed on the partners if necessary.
The tool is simple and powerful, allowing businesses to save time when ensuring compliance to data privacy regulations whilst simultaneously building up their reputation as a transparent and trustworthy client among their customer base.