End-User Consent to Collect Personal Data
By default, Jumio retrieves and acts as the data controller for end-user credentials used in Identity Verification services. Transactions that include collecting ID or biometric credentials, such as a Selfie or Facemap, require end-user consent prior to uploading the data.
If your integration implements the customer journey using the Web Client or the default SDK UIs, user consent management is built into the UI.
If your integration uses the mobile SDK with custom UIs, see the Consent Handling section of the integration guides for the Mobile SDK:
If your integration uses REST APIs to upload credentials, you are responsible for obtaining the end user's consent, as described below.
If you require access to the consent details for a transaction, see Retrieving Consent Details.
Incorporating Consent Language and Linking to Jumio’s Privacy Notice in Your UI
If you are using the API channel, you must incorporate explicit consent collection language and a link to Jumio’s Privacy Notice in your application, along with mechanisms for collecting the consent data (for example, checkboxes or buttons) prior to acquiring the end-user's credentials:
“I consent to Jumio collecting, processing, and sharing my personal information, which may include biometric data, as set out in its Privacy Notice.”
The Jumio Privacy Notice is at: https://www.jumio.com/legal-information/privacy-notices/online-services-notice/.
Example Screen Showing Consent Language
Populating the User Consent JSON
The user consent data must be added to the body of the Account creation or update request, as shown in the following example:
"userConsent": {
"userIp": "226.80.211.232",
"userLocation": {
"country": "USA",
"state": "IL"
},
"consent": {
"obtained": "yes",
"obtainedAt": "2022-07-20T17:20:35.000Z"
}
}
If the credential is rejected you can add or update the userConsent object and re-submit using the Account Update API.
See also:
Processor
By default Jumio acts as a data controller for the end-user credentials. In some cases Jumio will act as a data processor. For a description of how the European Union defines data controller and data processor for purposes of complying with GDPR rules checkout: What is a data controller or a data processor?
Even if Jumio is acting as a data processor, if the end user is located inside the United States and biometric data is collected on the API channel, consent language must still be presented to the end user, and populating the userConsent object is mandatory. If not provided or not accepted the transaction will be rejected during the credential upload. However, implicit consent is allowed, instead of requiring the user to explicitly check a box. The following is an example of how consent may be presented to the end user, but you may use your own custom language as long as the required elements are present:
By clicking “Start” you consent to Jumio collecting, processing, and sharing your personal information, which may include biometric data, pursuant to its Privacy Notice.
Retrieving Consent Details
By default details about if and when the end user consent was obtained are not provided in the Workflow Details. If you require access to the user consent details contact your Jumio Account Manager or Technical Support to enable retrieval for your tenant. Once it is enabled the data will be included in the workflow details response.
If enabled, the workflow details response will include:
-
A consent JSON object for the transaction, including the UTC timestamp for when the consent was obtained:
"consent": {
"obtained": "yes",
"obtainedAt": "2022-11-28T23:50:40.136Z"
}, -
A consent JSON object for each credential:
"consent": {
"decisionAccepted": true,
"collectedBy": "CUSTOMER"
}