End-User Consent to Collect Personal Data
By default Jumio acts as a data controller for the end-user credentials used by the Identity Verification services. Transactions that includes collecting ID or biometric credentials including a Selfie or Facemap require end-user consent prior to uploading the data.
If your integration implements the customer journey The end-user experience for uploading required credentials. Customers can integrate the Jumio Web Client and/or SDKs into their apps, or implement the customer journey themselves and use Jumio APIs to upload credentials and initiate transactions. using the Web Client or the default SDK UIs, user consent management is built into the UI.
If your integration uses the mobile SDK with custom UIs, see the Consent Handling section of the integration guides for the Mobile SDKs:
If your integration uses REST APIs to upload credentials, you are responsible for obtaining the end user's consent, as described below.
If you require access to the consent details for a transaction, see Retrieving Consent Details.
Incorporating Consent Language and a link to Jumio’s Privacy Notice into Your UI
If you are using the API channel you must incorporate explicit consent collection language and a link to Jumio’s Privacy Notice in your application, along with mechanisms for collecting the consent data (for example check boxes or buttons) prior to acquiring the end-user's credentials:
“I consent to Jumio collecting, processing, and sharing my personal information, which may include biometric data, as set out in its Privacy Notice.”
Example Screen Showing Consent Language
Populating the User Consent JSON
The user consent data must be added to the body of the Account creation or update request, as shown in the following example:
"userConsent": { "userIp": "226.80.211.232", "userLocation": { "country": "USA", "state": "IL" }, "consent": { "obtained": "yes", "obtainedAt": "2022-07-20T17:20:35.000Z" } }
Note: If the credential is rejected you can add or update the userConsent
object and re-submit using the Account Update API.
See also:
Processor
By default Jumio acts as a data controller for the end-user credentials. In some cases Jumio will act as a data processor. For a description of how the European Union defines data controller and data processor for purposes of complying with GDPR rules see: What is a data controller or a data processor?.
Even if Jumio is acting as a data processor, if the end user is located inside the United States and biometric data is collected on the API channel, consent language must still be presented to the end user, and populating the userConsent object is mandatory. If not provided or not accepted the transaction will be rejected during the credential upload. However, implicit consent is allowed, instead of requiring the user to explicitly check a box. The following is an example of how consent may be presented to the end user, but you may use your own custom language as long as the required elements are present:
“By clicking “Start” you consent to Jumio collecting, processing, and sharing your personal information, which may include biometric data, pursuant to its Privacy Notice.”