What Does Consent Really Mean Under GDPR?
This is the first in our five part series to explain the intricacies of consent under GDPR. For the introduction to the series and links to the rest of the blog posts (when posted), click here.
Author: Clarip Chief Privacy Officer
Article 4(11) of GDPR defines consent and includes a detailed set of functions that must accompany consent. Accordingly, if the specific definition is not applied, then an organization does not have consent at all.
The GDPR definition states consent to be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Some of this language will sound familiar to those who have operated under the European Union member state data protection laws. Other concepts such as “unambiguous” or “affirmative action”, while not completely new, were not imposed broadly under the Directive 95/46/EC, more commonly known as the Data Protection Directive and related member state laws.
Generally, the Art. 29WP guidance tells us that, in order to have valid consent, the controller must present the data subject with principles that show
- full control over his/her consent options;
- genuine choice to accept or decline terms without detriment;
- lawful, fair and transparent processing; and
- not based on coercion or undue influence.
We’ll break down each aspect of the definition and highlight the interpretations as presented by Art. 29WP:
Freely given: this goes to the point made that the data subject must have a true set of options. The data subject cannot be made to feel that any refusal to provide consent or future withdrawal of consent will lead to negative consequences.
This concept is also what underlies the imbalance of power in the employment context. Thus, while consent was previously strongly discouraged and frowned upon as a means to process data of employees, it is now outright disallowed.
Specific: consent must be presented in a way to clearly indicate the purposes for which it is requested. If multiple purposes are required, then each purpose should be indicated with a separate consent option. For example, a document or lengthy page where multiple purposes are listed in fine print with a single “I agree” box at the bottom are not sufficient as the single consent would not be specific to each of many different purposes.
Informed: naturally, the data subject must have a reasonable understanding of the processing to which they are being asked to consent. This should include a full explanation of relevant details such as the identity of the controller, the intended purpose of the processing, the types of personal data processed as a result of the consent, any transfers of data and associated risk; the data subject’s rights to future withdrawal and so on.
As noted, fairness and transparency must also be presented in the course of a consent request by providing, for example, concise, reasonable explanations in informing the data subject of the parameters presented.
Unambiguous: actions taken to show consent from the data subject should not leave any doubt of the data subject’s intentions in agreeing to have their data processed in the manner requested.
Clear affirmative action: the data subject must take some action, no matter how basic, to show that they have in fact consented to the proposed processing. For example, silence in a live interaction, pre-checked radio dials on a webpage or other inactivity do not qualify as there is no action taken by a data subject. Conversely, having a data subject take action to sign up for an offer or proactively check a radio dial on a web page, often referred to as “opt in” would qualify and be considered affirmative acts.
Finally, document, document, document! It is important to underscore the repeating theme throughout GDPR, which requires documentation of the issues above on how and when consent can be shown to be valid. Thus, consent must be formulated in a manner where the data controller can document how it was obtained, how any changes or withdrawals are registered and thereafter implemented. If your systems do not have an effective way of registering valid consent at scale, you’ll want to inject some process or tools for documentation.
Stay Tuned for More on Consent
This is part one of the five part series. Stay tuned for the rest of the series. We will add links here to the other posts when they have been published:
1) What does consent really mean? (this post)
2) When can you rely on consent?
3) Which Data Subject Rights apply?
4) How should consent work?
5) Beyond GDPR, how to maximize the value of consent?
More from Clarip:
Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.
Other Blog Posts on Consent:
France’s CNIL Gives Record GDPR Fine of $57 Million to Google
UK, Austria Differ on Whether Consent is Freely Given if the Choice Has a Small Fee
CNIL Warnings Providing Insight into GDPR Consent Management
Report Urges Transparency and Consent Management for IoT Privacy
Gather Consent Methodically and Precisely for Special Data and Children