End-User Consent to Collect Personal Data

By default Jumio acts as a data controller for the end-user credentials used by the Identity Verification services. Transactions that includes collecting ID or biometric credentials including a Selfie or Facemap require end-user consent prior to uploading the data.

If your integration implements the customer journey The end-user experience for uploading required credentials. Customers can integrate the Jumio Web Client and/or SDKs into their apps, or implement the customer journey themselves and use Jumio APIs to upload credentials and initiate transactions. using the Web Client or the default SDK UIs, user consent management is built into the UI.

If your integration uses the mobile SDK with custom UIs, see the Consent Handling section of the integration guides for the Mobile SDKs:

• Android Controller and Consent Handling

• iOS Controller and Consent Handling

If your integration uses REST APIs to upload credentials, you are responsible for obtaining the end user's consent, as described below.

If you require access to the consent details for a transaction, see Retrieving Consent Details.

Incorporating Consent Language and a link to Jumio’s Privacy Notice into Your UI

If you are using the API channel you must incorporate explicit consent collection language and a link to Jumio’s Privacy Notice in your application, along with mechanisms for collecting the consent data (for example check boxes or buttons) prior to acquiring the end-user's credentials:

“I consent to Jumio collecting, processing, and sharing my personal information, which may include biometric data, as set out in its Privacy Notice.”

Example Screen Showing Consent Language

Populating the User Consent JSON

The user consent data must be added to the body of the Account creation or update request, as shown in the following example:

"userConsent": {
    "userIp": "226.80.211.232",
    "userLocation": {
      "country": "USA",
      "state": "IL"
    },
    "consent": {
      "obtained": "yes",
      "obtainedAt": "2022-07-20T17:20:35.000Z"
    }
  }

Note: If the credential is rejected you can add or update the userConsent object and re-submit using the Account Update API.

See also:

• Creating or Updating Accounts

• Account API Reference

Processor

By default Jumio acts as a data controller for the end-user credentials. In some cases Jumio will act as a data processor. For a description of how the European Union defines data controller and data processor for purposes of complying with GDPR rules see: What is a data controller or a data processor?.

Even if Jumio is acting as a data processor, if the end user is located inside the United States and biometric data is collected on the API channel, consent language must still be presented to the end user, and populating the userConsent object is mandatory. If not provided or not accepted the transaction will be rejected during the credential upload. However, implicit consent is allowed, instead of requiring the user to explicitly check a box. The following is an example of how consent may be presented to the end user, but you may use your own custom language as long as the required elements are present:

“By clicking “Start” you consent to Jumio collecting, processing, and sharing your personal information, which may include biometric data, pursuant to its Privacy Notice.”