Article 29 Working Party publishes guidelines on consent under the GDPR
What exactly are the higher standards of consent under the GDPR?
Definition of consent
The GDPR defines consent as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (Article 4(11).
Interpreting the consent definition
The WP29 has now thrown light on what all these different elements mean, namely:
- Freely given: this must imply real choice and control for individuals.As the WP29 says: "If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given".Data subjects have to be able to refuse or withdraw consent without detriment and there should be no "imbalance of power".Note that such an imbalance of power will often be presumed in relationships between a public authority and a data subject, and between and an employer and an employee.Equally, "bundling" consent with acceptance of terms and conditions, or "tying" the provision of a contract or a service to a request for consent to process personal data not necessary for the performance of that contract or service, is also presumed not to be freely given. See Example A below
- Specific: separate consent should be gained for separate processing purposes; vague and blanket consent to a bundle of processing purposes is not sufficient.So controllers must apply (i) purpose specification as a safeguard against function creep; (ii) granularity in consent requests; and (iii) clear separation of information in obtaining consent for data processing from information about other matters.Also, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose (plus specific information for each purpose)
- Informed: sufficient and accessible information should be provided so that an informed decision about consent can be made, it is clear what is being consented to and, for example, that there is a right to withdraw consent effectively.This means providing the name of your organisation, the name of any third party controllers who will rely on the consent, why you want to process the data and what you will do with it.You must use clear and plain language, avoiding long, illegible privacy policies and legal jargon
- Unambiguous: a statement or clear, affirmative action is required, signifying agreement to the processing of personal data for the purposes specified.An opt-in box may be used (whereas pre-ticked boxes, opt-out boxes or other default settings should not be used).Interestingly, the WP29 suggests that other actions (eg swiping a screen or waving in front of a smart camera), can qualify as clear affirmative action
A request for consent should be presented in a manner which is clearly distinguishable from other matters (such as terms and conditions) using clear and plain language.
If, having obtained consent to use data for a particular purpose, you wish to use the data for a new purpose, a new consent will be required unless an alternative lawful ground can be established.
The GDPR does not define "explicit consent". However, under the GDPR, explicit consent is required where heightened data protection risks exist (for example, when processing special categories of personal data, which includes personal data relating to religious beliefs, sexual orientation or health). In this situation, consent should be given in an expressed statement, such as a written confirmation, rather than by any other positive action. In an online context, the WP29 says that filling in an electronic form or sending an email also works.
You must be able to demonstrate that valid consent has been given (eg that it was possible for the data subject to refuse or withdraw consent without suffering any detriment, that the right to withdraw consent was explained, that the request was clearly distinguishable from other matters etc). In practice, demonstrating consent when it is given means keeping records to evidence consent – who consented, when, how, and what they were told. There is no specific time limit in the GDPR for how long consent will last, but the WP29 suggests that consent should be refreshed at regular intervals.
Consent which has been obtained prior to the GDPR continues to be valid but only if it meets the criteria laid down in the GDPR. So checks need to be made to see how much reliance can be placed on existing processes. If the conditions are not met, or the consent is poorly documented, either: a fresh GDPR compliant consent should be obtained; a different lawful basis for the processing considered; or the processing stopped. Remember that being able to demonstrate consent is critical and that all presumed consents of which no references are kept will need to be renewed.
An individual has the right to withdraw consent to the processing of his or her personal data at any time. In line with the fact that consent must be freely given, it should also be made possible (and easy to) withdraw consent. Withdrawal of consent must be as easy as the process by which the consent was originally obtained. See Example B.
Compliance with other principles
Even if a valid consent is obtained, this does not negate or diminish the requirement to comply with other fair processing principles, such as fairness, necessity and proportionality. For example, holding a consent would not legitimise the collection of data that is unnecessary for the stated purpose. Furthermore, if the performance of a contract, including the provision of a service, is conditional on consent to data processing that is not necessary for the performance of the contract, this will undermine the validity of the consent. Put another way, in the WP29's words: "..it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent".
There are no overall rules on children's consent under the GDPR, but there is a specific provision in Article 8 on children's consent for 'information society services' (services requested and delivered over the internet). Note that the GDPR sets the age of consent at 16, but allows individual Member States to lower this. The UK is adopting the age of 13. The language must be plain and clear for children. In terms of obtaining parental consent where necessary, the WP29 recommends a proportionate approach (ranging from email consent to more concrete proof).
One important point around children is that, as the WP29 points out, parental consent will expire once the child reaches the age of digital consent. It states: “From that day forward, the controller must obtain valid consent from the data subject him/herself. In practice this may mean that a controller relying upon consent from its users may need to send out messages to users periodically to remind them that consent will expire...”. This means that controllers will need to find a way of tracking when a child reaches the age of consent, and then refresh the consent with the individual when that age is reached.
Why is this important?
Consent under the GDPR requires higher standards and the WP29 guidelines reinforce just how tricky this area can be, and why (of all areas) any business which relies on consent to run its operations needs to study the advice carefully, and in good time before the GDPR lands. From a marketing perspective, we await the finalisation of the ePrivacy Regulation, but any hope that this will create a gentler regime for marketing consents has already been dashed now that the draft is in circulation.
Any practical tips?
Watch consent like a hawk! It is an area of the GDPR which is likely to surprise many, especially those in the marketing industry – and not in a good way. Early consideration/action, particularly around the ongoing validity of existing databases after 25 May, is essential. And look out also for the hidden traps. For example, refreshing a child's consent when he/she reaches the age of digital consent – that requirement alone will result in the need for tech developments to ensure that controllers find a way of (automatically) refreshing their databases.