Consent, in its simplest form, is a data subject’s indication of agreement to his or her personal data being processed, and when treated as a real choice, allows data subjects to be in control of their personal data. As one of the core principles found in the FTC FIPPs, OECD Guidelines, and various data protection regulations (including the EU Data Protection Directive, ePrivacy Directive and upcoming EU General Data Protection Regulation (GDPR), the concept of consent has had a long history in privacy and data protection. These days, however, the concept has been evolving, and as stated by the Article 29 Working Party (WP29) in their recent draft Guidelines on Consent under the GDPR, “[t]he GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent.”
In this article, we discuss the expanded requirements for consent found in the GDPR (along with a healthy mix of guidance from the WP29), and will recommend some steps that your organization can begin taking today to help prepare for the coming of the GDPR on 25 May 2018.
Consent under the GDPR
There are six legal bases for processing personal data under the GDPR.1 These legal bases include: consent, performance of a contract, compliance with a legal obligation, protection of vital interests of the data subject or another other natural person, performance of task in the public interest or exercise of official authority, or legitimate interests of the data controller or a third party.
Consent has been one of the most common legal bases relied on for the processing of personal data. However, under the upcoming GDPR, additional conditions will need to be met which could make reliance on consent more difficult. For example, under the GDPR, the “opt-out” method of obtaining consent — i.e., processing personal data unless the data subject objects — will no longer be valid as it does not require a “clear affirmative action” on the part of the data subject.2 More on that later.
Additionally, those who violate the GDPR’s consent requirements may be subject to administrative fines of up to 20 million euro or 4% of total worldwide annual turnover, whichever is higher, along with the possibility of individual member state penalties.3 For these reasons, and others (including moral, ethical and business considerations), getting consent practices right by 25 May will be critical.
Elements of valid consent
Under Article 4(11) of the GDPR, “’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
If we unpack that definition, we are left with the following four elements of a valid consent under the GDPR: 1) freely given, 2) specific, 3) informed, and 4) unambiguous. If any of these elements are missing, then the consent would be considered invalid.
First, the data subject’s consent must be freely given. According to the WP29, this means that the data subject must be provided with “real choice and control” in a “granular” way over multiple purposes of processing, and be able to refuse or subsequently withdraw their consent in a manner that is as easy as it was to give consent.4 Additionally, consent typically will not be considered freely given where there is a “clear imbalance between the data subject and the controller” (e.g., in the employment context), or where performance of a contract is conditioned on consent to processing that is not necessary for the performance of that contract.5
Second, the consent must be specific — i.e., it must be tied to “one or more specific purposes” and the data subject must have a choice in relation to each.6 According to the WP29, to comply with this requirement, data controllers must ensure three things: 1) purpose specification as a safeguard against function creep, 2) granularity in consent requests, and 3) clear separation of information related to obtaining consent for data processing activities from information about other matters.7
Third, the consent must be informed. That is, adequate information about the processing must be communicated to the data subject “in an intelligible and easily accessible form, using clear and plain language” prior to obtaining their consent, to ensure that the data subject understands the choice before them and what they would be agreeing to.8 The importance of this element is well-stated by the WP29: “[i]f the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.”9
Finally, the consent must be unambiguous. The data subject must indicate their wishes “by a statement or by a clear affirmative action” signifying their agreement to the processing of their personal data.10 According to the WP29, this means that consent “must always be given through an active motion or declaration” and be “obvious that the data subject has consented to the particular processing.”11 For these reasons, “[s]ilence, pre-ticked boxes or inactivity should not therefore constitute consent.”12
In some circumstances, explicit consent may be needed. For instance, explicit consent is one of the exceptions to the GDPR’s prohibition on processing of special categories of data, and is one of several derogations for the transfer of personal data to third countries.13 It can also be used to justify the making of decisions about data subjects based solely on automated processing, including profiling, which produce legal effects concerning, or that significantly affect, the data subject (i.e., “automated individual decision-making”).14
Under Article 7(1) of the GDPR, data controllers must also be able to “demonstrate that the data subject has consented to processing of his or her personal data.” According to the WP29, “[c]ontrollers are free to develop methods to comply with this provision in a way that is fitting in their daily operations.”15
However, data controllers should not collect more information than is necessary, nor keep it for longer than is necessary, to meet this requirement16 — i.e., the principles of data minimization and storage limitation should always be in the back of the privacy professional’s mind when thinking about how to demonstrate compliance with the GDPR.
Consent management for data controllers
OK, now that we have rules, requirements and obligations out of the way, let’s shift gears and talk about some steps that your organization can take (in particular where it acts as a data controller) to support efforts to comply with these requirements.
Identify what you have
First, the building of records of processing (or “data map”) to address Article 30 is viewed by many organizations as the natural first step toward GDPR compliance, as these records can serve as the foundation for tackling many other GDPR requirements.
Once your organization has developed these records, they can be used to identify those processing activities that rely on consent and then supplement the records with additional details about how consent was presented, obtained, etc. Understanding where your organization has relied on consent should be the first step toward ensuring that those consents meet legal requirements.
Therefore, when building your records, consider adding additional fields to support information about legal bases, and the different aspects of those legal bases. Doing so should provide you with a head start and strong foundation for addressing other requirements.
Assess for appropriateness
According to the WP29, “[g]enerally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.” So, after you have identified those processing activities that rely on consent, consider asking yourself the following question: is there another legal basis under Article 6 that is more appropriate for this processing activity?
Situations where consent may not be the best choice may include: where, regardless of refusal or withdrawal of consent, the personal data would still be processed under a different legal basis; where there is no way to avoid real detriment to the data subject in the event of refusal or withdrawal; where there is an imbalance of power between the data controller and data subject; or where the processing is necessary for the performance of a contract.
In the context of an employment agreement for example, perhaps it would be better to rely on performance of a contract as the legal basis for processing the employee’s personal data, given the imbalance of power that is inherent in the employer-employee relationship. Or, where a bank wishes to process the personal data of its customers for the separate purpose of preventing fraud, relying on legitimate interests might be the more appropriate choice.
Craft your request and provide adequate information
Under Article 7(2), where a “data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
This requirement is tied heavily to the requirements that consent be specific and informed. Thus, the request needs to apply the principle of purpose specification; be granular and unbundled in terms of how consent for separate purposes is presented; be clearly separated from information about other matters (e.g., terms and conditions); and provide an adequate level of detail to inform the data subject; all while being intelligible, easily accessible, clear and plain to the data subject.
To put this into practice, try to craft your message in a way that is “easily understandable for the average person and not only for lawyers.”17 Avoid technical and legal jargon and try to limit the information to that which is “relevant for making informed decisions on whether or not to consent”18 to avoid taking the data subject to the point where they are overwhelmed with information or give up on reading the notice entirely. Pursuant to this aim, use of layered and just-in-time notices should be favored over lengthy, hard to find notices.
As previously discussed, the GDPR requires that data controllers must be able to demonstrate that valid consent was obtained from the data subject. The WP29 states that one way of doing this is to “keep a record of consent statements received” in order to show how and when consent was obtained, what information was provided to the data subject, and the workflow behind ensuring that the consent included each of the requisite elements.19
In practice, this could look something like this:
For example, in an online context, a data controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website.20
At OneTrust, we commonly analogize this to a credit card receipt. The receipt serves as evidence that the transaction took place—without it, it is as if the exchange never happened. The concept is the same here — no receipt means no consent.
To address this, organizations can opt to use automated consent management tools that allow for embedding consent management directly into their websites, products, and internal systems, while capturing consent records along the way.
Renew and refresh where applicable
The GDPR does not specify how long a data subject’s consent will remain valid, or whether they degrade over time and/or expire. However, the WP29 has stated that “[h]ow long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject”; however, “[i]f the processing operations change or evolve considerably then the original consent is no longer valid.”21 Therefore, the WP29 recommends “as a best practice that consent should be refreshed at appropriate intervals.”22 Even if you disagree with interpretation, at the very least, refreshing consents will lend itself to ensuring that data subjects remain informed.
Tools that provide visibility into your organization’s various processing activities and how they evolve over time may be helpful for tracking the validity of consents and whether they need to be refreshed. Furthermore, if consents for a particular processing activity do need to be refreshed, consent management tools can be used to communicate that to the data subject.
Enable consent withdrawal
Under Article 7(3), data subjects have the right to withdraw consent at any time, and withdrawing consent must be as easy as giving it. This means, for example, that “when consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily.”23
While the GDPR does not specify that giving and withdrawing consent must be able to be achieved through the same means, according to the WP29, “[w]here consent is obtained through use of a service-specific user interface … there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole reason of withdrawing consent would require undue effort.”24
There are many ways in which this can be achieved — e.g., via web-interface, unsubscribe link, phone call, online preference management, etc. — but, at the end of the day, the goal is to ensure that the chosen process allows for data subjects to withdraw their consent in a way that is no more burdensome than the act of giving consent.
It is important to note that a data subject’s withdrawal of consent does not necessarily mean that the data controller must cease processing and/or erase the personal data. If there is another legal basis that would apply under Article 6, the data controller may “migrate from consent (which is withdrawn) to this other lawful basis” (e.g., performance of a contract).25 However, the data subject must be notified of this change in legal basis in accordance with the information provision requirements found in Articles 13 and 14.
For these reasons, “it is very important that controllers assess the purposes for which data is actually processed and the lawful grounds on which it is based prior to collecting the data. … Controllers should therefore be clear from the outset.”26 Where your organization considers relying on consent for a particular processing activity, make sure to also consider what other lawful grounds might apply — perhaps another is more appropriate, or could serve as a substitute basis in the event that consent is withdrawn.
Synchronize, combine and conquer
As mentioned earlier, the records of processing that you create for compliance with Article 30 can be tweaked to include information about legal basis. You can track what processing activities rely on consent and include details about how consent is obtained, as well as notes on what other legal bases might be appropriate for a given processing activity.
Vice-versa, the consent records that you generate for compliance with Article 7 can be tied back to your records of processing or data subject requests to assist with compliance in those areas, such as if you needed to quickly trace a consent back to a specific processing activity where the data subject has requested withdrawal of their consent and subsequent erasure of their personal data under Article 17(b).
We hear from privacy professionals every day who are working to prepare for the GDPR and looking for solutions. It can feel overwhelming at times — the seemingly endless requirements found in the GDPR, combined with the growing number of “tips,” “steps” and “recommendations” being thrown at them every day (yes, the authors are self-aware). How does the privacy professional balance it all?
If there is a main takeaway from our discussions with organizations who come to us with these concerns, it is this — remember that the GDPR takes a risk-based approach to compliance, is meant to be an ongoing and evolving exercise in privacy and data protection, and that there are many areas of overlap within the GDPR that can be leveraged to your advantage. With the right mindset, tools and some creativity, you can be ready for the GDPR and beyond.