Consent is a vital area for data protection compliance and even more so under the GDPR. The GDPR sets a high standard for consent and contains significantly more detail than previous data protection legislation, although the main principles remain unchanged.
In particular requests for consent must be provided in an easily accessible form and consent must be as easy to withdraw as it is to give.
Definition under the GDPR
“Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
What does the GDPR definition really mean?
Under the GDPR the requirements for consent have been strengthened to require a positive and unambiguous action to ‘opt in’. Silence, pre-ticked boxes and inactivity will not constitute consent.
Consent requests must be kept separate from other terms and conditions. Where there are multiple processing activities, consent must be given for each separate activity otherwise it will not be valid.
What are the significant changes brought in by the GDPR?
The GDPR significantly strengthened the standard of consent. Data controllers are required to give individuals more choice and control over how their data is used. Consent under the GDPR is no longer a one-off decision but an on-going issue to be carefully monitored. Individuals may withdraw their consent at any time without penalty, and the mechanisms for withdrawing consent must be as easy as those for giving consent.
Individuals must be given a genuine choice about whether or not they consent. If they do not have a choice then consent will not be deemed to have been freely given and will not be valid. Consent may also be deemed to be invalid where the subject has a choice, but the existence of an imbalance of power between the data subject and the organisation requesting consent means that such consent may not have been freely given as the data subject may have been under pressure (or may have felt under pressure) to give consent. This is most likely to occur in relationships between an employer and their employee. . In these circumstances, data controllers should look to the other options for processing to determine if there is another relevant condition present for the data controller to be able to process the data without the requirement for consent from the data subject. If you think you may have other grounds, it is important to explore those before seeking consent from a data subject. The ICO has emphasised that requesting consent from an individual would be considered “misleading and inherently unfair” if their personal data would still be processed on a different basis if consent was refused or withdrawn. If you intend to rely on an alternative ground if consent is refused, then the request for consent was not a genuine choice.
If no other options are available and consent is required, the GDPR imposes a greater obligation on data controllers than under the previous data protection legislation. There is a requirement to demonstrate that a data subject has consented to the processing of their personal data by keeping a record of:
- the information given to individuals as part of the request (e.g. purpose for which the data was required);
- how and when the consent was given; and
- what the individual has consented to.
You must ensure that there are no penalties for refusing consent and provide convenient ways for data subjects to withdraw their consent at any time.
What effect has this had on UK businesses?
The concept and definition of consent remains largely unchanged by the GDPR however the mechanisms through which consent may be obtained have seen significant changes and obtaining consent is now much harder with the additional requirements as set out in more detail below.
The effect on UK businesses will depend on whether consent is the legal basis upon which processing is carried out. Any businesses that processes data based on consent from the data subject will need to ensure they have satisfied the conditions for valid consent.
Processing data without a valid consent or particularly in the imbalance of power situation, could not only lead to a hefty fine, but could also cause reputational damage.
What should my business be doing?
If you haven’t already, you should review your consent practices and existing consents as these will need to be updated if they are not GDPR compliant. The key changes you will need to make include:
- Separating any requests for consent from your main terms and conditions. Consent should not be bundled up as a condition of service unless it is absolutely necessary for that service.
- Removing any pre-ticked opt in boxes. Any binary choices should be given equal prominence.
- Giving users more options so they can consent to different types of processing rather than using an ‘all or nothing’ approach.
- Providing details of your organisation and any third parties who will be relying on the consent.
- Ensuring you have mechanisms in place to record details of the consent given.
- Providing information on how to withdraw consent.
How long does consent last?
There is no specific time limit for consent under the GDPR. Consent will continue until it is withdrawn however it will only apply to the specific purpose for which it was given. If the purpose or methods used to process the data change then fresh consent will be required. It is good practice to periodically check with individuals that they still consent to the processing of their personal data. If consent is withdrawn, the data may no longer be processed.
How should I manage withdrawing consent?
The ability to withdraw consent to processing must be exercisable at any time. Providing an ‘opt out’ link in any email or other correspondence may not be sufficient for GDPR compliance. If possible, you should ensure that individuals are able to withdraw consent in the same manner as it was given. Importantly, there should be no penalty imposed for individuals who choose to withdraw consent.
What is ‘explicit consent’?
Explicit consent is not defined in the GDPR but is likely to be very similar to the definition of consent. The main difference is that explicit consent must be affirmed in a clear statement, either in writing or orally. Depending on the circumstances, consent by way of an affirmative action may not be deemed sufficient to be explicit consent.
Example: You ask your customers for their email addresses and you tell them that you will use their email address to send them information about your products. By giving their address, the customer has made a specific, informed choice to consent to those emails. This is still likely to be implied consent rather than explicit. A tick box with the statement “I consent to receive emails about your products” would be considered explicit consent.
What are the alternatives to consent?
Consent is only one lawful basis for processing data and it can often be the most difficult, there are many others including:
- The existence of a contract with the individual – e.g. to supply goods and services that requires processing of personal data.
- Compliance with a legal obligation – e.g. you are required to process data by UK or EU law
- Vital interests – you can process personal data if it’s necessary to protect someone’s life
- A public task – if you are a UK public authority this is likely to give you a lawful basis for many if not all of your activities
- Legitimate interests – if you are a private organisation you can process personal data without consent if you have a genuine and legitimate reason
Why do I need to obtain consent if there are alternatives?
Whilst often difficult to obtain, consent is the only reasonable option in certain cases and in those cases it can legitimise restricted processing. Explicit consent obtained from a data subject for the use of special category personal data, automated decision making (including profiling) and overseas transfers is able to legitimise this processing which may be difficult to do using any of the other lawful reasons for processing.
In these cases, where other options for processing are limited, the compliance with the GDPR requirements for consent is crucial.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.