Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsGather Consent Methodically and Precisely for Special Data and Children
Author: Clarip Chief Privacy Officer
Note: This is the second in a series of posts written to explain the many intricacies of consent under GDPR. If you missed the introduction and first post in the series, click here.
When Can You Rely on Consent?
Consent is a concept which many organizations believe they understand. Yet, they may not be as familiar with the specific process for obtaining individual consent lawfully in the EU, and the rights individuals have when an organization requests consent as a lawful basis for processing personal data.
Even for organizations that do not process data in the EU or of EU residents, it is important to have an understanding of what the GDPR requires in this area. There will be natural momentum toward a stricter standard of consent globally as a result of its adoption in the EU, due to competitive trends and demands for privacy tools that can automate individuals’ consent process.
In the first post in this series, several factors were described that must be present in order for consent to be deemed proper and valid, including that consent was freely given, specific, explicit and informed, among other factors. In this post, we delve into a few special scenarios where consent must be presented in a precise manner under the GDPR in order to enable lawful processing.
Certainly, it is easy to understand and obtain consent for simple processing needs, such as a single communication or special interest newsletters. But for the vast majority of multi-national, retail organizations with cross segment marketing, multiple eCommerce platforms and targeted advertising needs, the numerous and complex processing needs require a far more nuanced and sophisticated consent mechanisms. So, what are these and other entities expected to do and when can they rely on consent? Below, we delve into some examples to illuminate this issue.
As a general matter, a primary theme running through all of GDPR is the principle of fair and transparent data processing. So it only follows that the factors mandated for consent show a strong regard for fairness and transparency (often achieved through through just in time notices via a layered privacy policy. By overlaying this theme on top of the specific mandates of GDPR, a vision of how to achieve appropriate consent in certain unique situations becomes clearer. We also have the benefit of guidance from the member state authorities, including the soon-to-be European Data Protection Board (EDPB).
Explicit Consent
GDPR requires explicit consent for certain situations where there is deemed to be a higher than normal level of risk to individual rights and thus, individuals would likely want greater control over their personal data. Such situations have been described in the published guidance as processing of special categories of data (Article 9), for cross border data transfers and transfers to international organizations where adequacy decisions do not exist (Article 49) or for automated decision making for individuals, including profiling (Article 22). In these situations, additional steps must be taken in order to use consent. Of course, the more US centric privacy regimes may think of any affirmative act as explicit consent.
However, affirmative and explicit consent are not the same under GDPR. Any appropriate consent would already include the higher bar of an affirmative act offered to and taken by an individual to show that they did in fact consent. Explicit consent, on the other hand, requires actions beyond an affirmative act. This is described as an explicit way that data subjects express consent. An express statement, such as a statement in written or electronic form, and where possible written or electronic signature, should accompany situations where explicit consent is to be obtained. The EDPB has also noted that even a verbal statement can serve as explicit consent, although it would be difficult to document a verbal showing of explicit consent without further recording or documentation of the same, which might then negate any time or resource savings offered by verbal consent.
Children’s Consent
It is not unusual to have special standards in place to obtain consent for processing children’s data. As one might expect, consent for processing the data of children must be obtained from a parent or guardian. However, beyond the parental consent requirement, there are references to another primary theme of GDPR —addressing protections and controls commiserate with the risks of processing involved.
Organizations in the US that know and comply with the Children’s Online Privacy Protection Act (COPPA) will find a similar paradigm in the GDPR consent mandates for information society services. It is those organizations that are aimed at or targeting children which will be required to get consent from a parent.
A proportionate approach is recommended with regard to how parental consent is sought and obtained as data minimization principles still apply. In other words, a significantly greater amount of data collection should not take place in the process of obtaining parental consent or age verification.
Finally, it is important to note that while GDPR defines a child as anyone under the age of 16, it also gives member states the right to lower the age for children as long as it is not under 13 years old. Organizations seeking to process children’s data should make a point of being familiar with different member state variations so they can implement appropriate consent in each jurisdiction.
Where a child’s specific age is verified, controllers also must be able to monitor when the child reaches the age of consent (where they are 16 or as low as 13, as set in applicable jurisdictions) so that they can obtain it directly when the individual is no longer under the authority of the parent for purposes of GDPR. As with all consent, where it is not obtained properly based on the age of the child, any processing will be unlawful.
While these scenarios are but a few examples, they do illustrate how consent must be implemented in a very precise and detailed manner in order to be deemed valid.
This complexity has led many to mistakenly believe that consent is the weakest of all lawful basis. This is not true, as each of the lawful basis are valid when used in the appropriate way and in the correct context. Consent, like other lawful basis, simply requires a reasoned approach and the fulfillment of all of the conditions so it is implemented as the law requires.
Don’t Miss the Other Posts in the Series!
We hope you have enjoyed this series on consent so far and that you will stay tuned at the Clarip Privacy Blog for the next post in the series. If you haven’t read the first two posts, you can read them at:
Introduction to GDPR and Consent: A 5 Part Series
1) What does consent really mean?
Keep reading the Clarip blog for (coming soon):
3) Which Data Subject Rights apply?
4) How should consent work?
5) Beyond GDPR, how to maximize the value of consent?
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Other Blog Posts on Consent:
France’s CNIL Gives Record GDPR Fine of $57 Million to Google
UK, Austria Differ on Whether Consent is Freely Given if the Choice Has a Small Fee
CNIL Warnings Providing Insight into GDPR Consent Management
Report Urges Transparency and Consent Management for IoT Privacy
What Does Consent Really Mean Under GDPR?
