Consent wording

[fisicx]

I have developed a number of plugins all of which have forms that on submission stores the field data in a database. I want to add a consent option to these forms. The site owner can elect to include the option or not.

There will be some sample words on the form settings (that they can edit). My first draft is:

I consent to the data from this form being retained by the site owner in order to process and manage your order/application/request. The data will not be passed on or accessed by anyone other than the site owner or their employees.

If feels very wordy buy I'm not sure it can be any shorter.

 

[Hitesh Mistry]

As a template that's fine.

Your users will most likely tailor this to become a lot more specific. They may need to add something around getting consent for marketing, which could even be another tick box

 

[ffox]

I consent to the data from this form being retained by the site owner in order to process and manage your order/application/request. The data will not be passed on or accessed by anyone other than the site owner or their employees.

Probably too generic. The PECR Guidelines on page 33 of the ICO Direct Marketing Guide -
https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf

 

[fisicx]

This isn’t about marketing. This is giving consent to your data being retained in a database after you fill in a form.

For example, you fill in an form to check the size of a widget and the personal data is retained after the initial enquiry has been answered. The consent option is to permit a provider to hold that data on a database. Which isn't the same as keeping the email.

 

[fisicx]

They may need to add something around getting consent for marketing, which could even be another tick box

I agree. There should be are consent options: 1. store the data 2. Use that data for marketing.

 

[ffox]

This isn’t about marketing. This is giving consent to your data being retained in a database after you fill in a form.

For example, you fill in an form to check the size of a widget and the personal data is retained after the initial enquiry has been answered. The consent option is to permit a provider to hold that data on a database. Which isn't the same as keeping the email.

While acquiring consent is probably a good idea for what you describe its not actually necessary. The Lawful Basis for Processing would fall under Legitimate Interest.

The ICO requirement is -
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual’s interests, rights and freedoms.

 

[fisicx]

Yes I understand all that. The legitimate interest doesn't really apply and the visitor to the site is filling in a form. The consent is for the retention of the data after processing is complete.

If someone asks you for help setting up SharePoint and then decides not to takes up your offer then there is no legitimate reason for you to keep their data.

 

[ffox]

Sorry @fisicx I misunderstood your intent. PECR rules deal with Privacy and Electronic Communications and under this you are allowed to obtain tick box or form consent to collect, retain and process data.

If you are not intending communication with the subject you are moving firmly into the GDPR scope (proposed, effective after May 2018). For this the consent requirements are more difficult.
You will need to satisfy -

"How should you obtain, record and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

• the name of your organisation;
• the name of any third party controllers who will rely on the consent;
• why you want the data;
• what you will do with it; and
• that individuals can withdraw consent at any time.

You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.

Keep records to evidence consent – who consented, when, how, and what they were told."

https://ico.org.uk/for-organisation...ion-gdpr/lawful-basis-for-processing/consent/

You are quite right in that Legitimate Interest lives only so long as the subject is still interested in the service or product, but you can't just get consent to retain personal data indefinitely on the strength of a web base consent form.