How to Obtain Consent Under GDPR
The GDPR sets up a system in which data processing is illegal unless it falls within one or more enumerated categories. For many business, the easiest path to enable lawful processing of data will be the data subject’s consent.
What is the GDPR Consent Definition?
Consent is defined in Article 4 of the GDPR to mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
How is Consent Obtained?
GDPR Article 7 sets forth the conditions for processing based on consent. In order to process based on consent, the request for consent must use clear and plain language distinguishable in written declarations concerning other matters, the data subject has to be informed that he or she can withdraw their consent at any time, the consent must be freely given, and the organization must be able to demonstrate that consent has been given.
How Must Consent Requests Be Presented?
The request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. This section is obviously intended to ensure that request for consent are not hidden in long contracts or terms of service that do not clearly distinguish the request for consent from the other sections of the contract. However, it will probably be some time before the interpretation of clearly distinguishable is defined by enforcement actions. However, the notion that the consent has to be easily accessible and clear suggests that even special emphasis in a long document, such as bold and larger text, may not be enough to satisfy this section. Language in the request for consent must also discuss how the individual can withdraw consent at any time.
What are the Other Considerations in Obtaining Consent?
It needs to be at least as easy to give consent as it is to withdraw it, so the process of removing consent must remain in lockstep with the withdrawal process. In other words, if an individual can subscribe by text message, they need to also be able to unsubscribe by text message. This seems likely to slow innovative forms of consent as it also requires putting in place a similar system to withdraw consent. Additionally, the more methods there are to subscribe and unsubscribe, the more difficult it will be to combine the records into one audit trail documenting that consent has been given and not withdrawn.
There are special requirements for children’s consent under GDPR.
What Documentation is Required to Rely on Consent for Lawful Processing?
Although processing of data is allowed for some other reasons, consent will be the primary justifications for processing for many. Therefore, it is important to ensure that adequate records are kept both of the date/time of consent as well as the information or other materials that the individual was shown at the time they gave consent. If these supporting materials are not kept, it will be difficult to demonstrate that the individual’s consent was valid. In reality, the organization needs to be able to demonstrate both that the data subject has consented as well as that the data subject has not revoked consent. If adequate records are not kept of all individuals withdrawing consent or exercising the right to erasure, then it will be hard to demonstrate that the controller still has permission to process the data.
When is Consent “Freely Given”?
The question of whether consumer consent has been freely given in a take-it-or-leave-it service contract has been an issue that the law in the United States has struggled with for some time. The GDPR takes a nuanced approach that could in all likelihood eliminate this type of consent.
The extent of the strength of the enforcement of this provision in the GDPR will take some time to figure out. However, many organizations will need to operate on the safe side if they do not want to risk an enforcement action that requires them to delete the improperly obtained data at some point in the future.
The Article 29 Working Party has issued a draft paper that indicates consent must involve “real choice and control”. In other words, if consent cannot be refused, it is not freely given. It is also unlikely that non-negotiable consent in the terms and conditions of a contract is freely given. The Working Party example is a mobile app that requires GPS location services for behavioral advertising. Consent is not freely given, in other words, if it is a mandatory consideration in exchange for performance. Non-negotiable consents may only be valid if there is a “direct and objective link” between processing and performance. This will only be so where it is, strictly interpreted, necessary to the performance.
Establishing consent as a basis for processing is also more difficult if there is a power imbalance between the controller and data subject. The Article 29 Working Party has said that consent cannot be the basis for the majority of data processing of employees at work because employees will not feel free to refuse without risking negative consequences. Public authorities must also consider whether they may validly obtain consent.
The Practical Application of GDPR Consent
The most successful privacy programs have long recognized that consent should not be an all or nothing proposition for consumers. Consumers want a more nuanced, granular set of options that fit their preferences, such as the medium (i.e., email or text) or frequency (i.e., once a day or once a month) of communication. They are far more likely to choose “nothing” when they are not presented with suitable options for engagement by a business. In addition, GDPR throws its regulatory weight behind appropriate consent in Article 8 which mandates explicit, demonstrable and specific consent that is freely given and easy to withdraw. Finally, because of the cost of acquiring a customer, businesses that lose existing customers through inappropriately aggressive marketing efforts will be at a competitive disadvantage.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Still working on GDPR compliance? We understand! Our GDPR software tools offers a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Related Content
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent