The text in this article may include ControlShift's interpretation of the GDPR and/or interpretations we've heard from other organizations. This article should not be considered legal advice. Please seek independent legal counsel to ensure your compliance with the new regulations.
The GDPR mandates that organizations acquire consent before processing the data of EU Data Subjects. Please note that, in ControlShift's understanding, this compliance area is separate from email or general communications consent. Broadly speaking, communications consent deals with the emails/sms/calls that you use to contact supporters. Data processing consent deals with the initial collection of their data and any ongoing processing, which can include an array of activities.
As with all things GDPR, we've heard a wide range of legal interpretations from our customers around what type of consent is required for compliant data processing. Generally, the two ends of the spectrum are:
- Implicit Consent, which shows the user a consent message above the button a user must press to take action. Organizations using this basis for consent have argued that processing data is intrinsic to the service provided (e.g. signing a petition).
- Explicit Consent, which requires a checkbox to be checked before the user's personal information is accepted by the platform. Organizations using this basis for consent have cited Recital 32 of the GDPR which states "Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data...Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
Choosing A Consent Type
Implicit Consent: For organizations planning to use implicit consent, ControlShift allows the organization to set custom EU data processing text, which will be displayed on pages where users are taking action. For example, this text will be included above: a petition's Sign button, the new account page's Sign Up button, and an event's RSVP button (and on other pages where users enter their personal information). To set this text, go to the admin homepage > Settings (under Configure) > Content > Petitions > EU Data Processing Consent Label. Then, send us an email and we'll enable implicit consent for you.
Explicit Consent: For organizations planning to use explicit consent, ControlShift offers an EU GDPR consent checkbox. Depending on the organization's configuration (that is, whether the organization is based in the EU or only sometimes processes EU data subjects' information), we'll either always show the opt-in checkbox or only show it if the user indicates that they live in an EU country. When the checkbox is enabled, users will not be able to take action unless the box is checked.
Please note: as you can see in the example above, it's possible that your organization may have a "join" checkbox, which is separate from the data processing consent box. If it's possible for a logged out user to sign a petition without checking the box, then it's not a GDPR data processing checkbox.
If your organization would like to enable explicit consent, please send us an email. We'll enable the checkbox for you and you'll be able to set the checkbox label's text from the admin homepage > Settings (under Configure) > Content > Petitions > EU Data Processing Consent Label.
Please note: although this piece of content is included in the Petitions subsection of the Content tab, the opt-in checkbox is not just used for petitions. It will also be included on the new account page, event pages, group page, contact messages popup, and anywhere else that asks for personal data.
Tracking a User's Consent History
When a user takes action on the site, we keep a log of what specific language they consented to. This information is included in a few places, including the member page and the signature record.
To view the consent version histories on the signature record page, you can either:
- Go to the appropriate petition > Admin > Signatures > search for the correct email address > Details.
- Go to the org admin homepage > People > search for an email address > go to the member page > find the appropriate signature line > Details.
Clicking the content version links will bring you to the appropriate asset in the Content tab. In the history tab of that piece of content, you'll be able to see the specific text in each version.
You can also track consent version from the member page. To view the consent history from the member page, go to the admin homepage > People > search for an email address > go to the member page.
In addition to tracking consent opt-ins in the platform, we also include this information in the appropriate API and webhook endpoints. Depending on your organization's technical capacity, you can use these endpoints to track consent outside of ControlShift. More information on our endpoints can be found here: https://developers.controlshiftlabs.com.
Tracking Platform Consent Versions
On this page, admins can also specify an External ID for each consent version. This can help you match your consent version across multiple platforms.
The GDPR has numerous requirements and hefty fines for non-compliance. The information included here is not legal advice, and we strongly recommend that all organizations using ControlShift seek legal counsel to ensure that they comply with the GDPR and all relevant laws.