GDPR Roundup: Consent

The GDPR’s requirements around consent for data processing are complex, and we aren’t the only ones thinking about what this means for our business or how to best comply with the regulation. Below, we’ve shared a few links that give some added context around consent as it relates to the GDPR.

WP29 Guidelines on Consent under Regulation 2016/679

In our Whois Changes GDPR Roundup, we looked at a letter that the Article 29 Working Party (“WP29”) sent to ICANN; here’s another great publication from the same advisory body, offering guidelines on how consent can be used as the legal basis for data processing under the GDPR. WP29’s interpretation of the GDPR aligns with our own understanding of the consent requirements and serves as a helpful resource for anyone working to create their own consent request processes.

How the GDPR will disrupt Google and Facebook

The title says it all. This article speculates on how Google’s and Facebook’s current consent request processes might have to change in order to become compliant with the GDPR’s consent and data use requirements. It lays out a GDPR risk scale, examines where different consent methods fall on this scale, and then evaluates personal data use by Facebook and Google to estimate where those different data uses rank and what changes the tech giants may need to make in order to continue processing this data in a post-GDPR world. The conclusion is that, while much of this personal data processing can be done in a way that is GDPR-compliant, the requirement to obtain consent will disrupt the ability to use data for marketing and advertising purposes. The extent to which this impact will be visible to the average user remains to be seen.

ICANN – GDPR legal analysis

The second and third memos from Hamilton Advokatbyrå have been published, following the first memo which we discussed in a previous GDPR roundup. The most recent memo focuses on how the Whois system would need to change to be compliant with the GDPR, and refers to a conclusion drawn in the first memo: although consent would be a possible legal basis for publication of Whois information, it would not result in a fully accessible Whois like we have today, since data subjects will be able to withdraw consent, preventing any “extra” data (which isn’t necessary to providing domain registration services) from being published. Anyone keeping up with GDPR policy will want to keep a close eye on these Hamilton memos and the domain industry’s responses to them.

We’re happy to see that many of the assessments and practices being discussed by other key players in the industry are in line with our own plans for a gated Whois system and revamping of our consent request processes. We want to support our resellers through this transition by providing useful resources and maintaining a high level of transparency about our own GDPR implementation plans. Sign up for GDPR updates to make sure you’re kept in the loop!


Learn more about the GDPR:

GDPR Updates – Understand OpenSRS’ approach to the policy

GDPR Roundups – View third-party resources on a specific GDPR topic