Consent is a part of every major modern data privacy regulation, but there’s no global standard. For example, Europe’s GDPR is considered an “opt-in” jurisdiction, meaning that organizations must obtain an explicit and affirmative consent from an individual prior to collecting, processing, or storing personal information collected from individuals. California’s CCPA takes the opposite “opt-out” approach, with consent assumed to be provided, and organizations are required to provide a mechanism for individuals to withdraw their consent, at which point companies need to restrict their collection, processing and storage of an individual’s personal information. This creates a potential compliance landmine for organizations looking to comply with regulations on a global basis; how can they comply given the differences among the laws?

Consent by Jurisdiction

Let’s walk through some of the major legislation currently on the books. The table below outlines consent obligations, specifically for websites, for CCPA, GDPR, and LGPD:

RegulationConsent and Response Obligations
CCPA – California– Assumes consumers to have provided consent for data to be collected, and organizations must provide an easy opt-out process for consumers to restrict processing.
– Requires businesses to have a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on websites, giving consumers the right to opt out from the selling and/or disclosing of their personal information.
– CCPA’s definition of “sale” applies to the exchange for value of all consumer information, including sharing personal data captured by cookies and other tracking technologies with third parties.
GDPR – Europe + UK– Requires businesses to prompt consumers to “accept” cookies and other tracking technologies before progressing on a website. Without a consumer’s explicit consent, businesses can’t collect or share their data.
– For consent to be valid under GDPR, a consumer must actively confirm their consent, such as by ticking an unchecked opt-in box.
– Data subjects may request that a controller restrict any type of data processing of personal data if:

1. The data subject contests the accuracy of the personal data.
2. The processing is unlawful, but the data subject agrees to restriction.
3. The controller no longer needs the personal data for processing, but data are required by the data subject to establish or exercise a legal claim or defense.
4. The data subject has objected to processing pending verification of whether the controller can process on other legal grounds.
LGPD – Brazil– Requires businesses to prompt consumers to “accept” cookies and other tracking technologies before progressing on a website. Consent must be a “free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose”.
– For consent to be valid under LGPD, a consumer must actively confirm their consent, such as by ticking an unchecked opt-in box.

Key Takeaways

There’s no one-size-fits all solution to global data privacy; implementing a static solution will lead to financial penalties that could be otherwise avoided by leveraging technologies to take the kind of dynamic approach needed to comply with global regulations as they continue to be enacted, implemented and modified.

How Can Clym Help?

Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with GDPR, CCPA, LGPD and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues.  Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.