Before the GDPR
Consent was always needed, but until now certain ambiguous practices like inactivity or even pre-ticked boxes were allowed. It was also rarely considered that a data subject could withdraw consent after they had given it. Take for instance the consent for cookies. How many websites do you currently see that allow you to take withdraw consent for cookie? Or how many times have you registered on a website to access a report for example, but ended up realizing you were subscribed to their newsletter, or that you were receiving various offers for items the website owners were selling?
The Data Protection Act contains no definition for consent. However, the Data Protection Directive, to which the Act gives effect, defines consent as follows:
“...any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
To compare, we look at article 4(11) of the GDPR which defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
We will discuss each of the requirements for consent under the GDPR later. For now, we see the changes that have come up as compared to the Directive. We notice the need for consent to also be unambiguous and for it to be given through a clear affirmative action. These new provisions, though they may seem like a small change, remove the possibility of using pre-ticked boxes or other practices that in some ways “forced” the consent of those less informed on their rights. Explicit consent is required for the processing of sensitive personal data, a requirement that we will later see in the GDPR as well.
What’s more, the Data Protection Act requires that the individual’s wishes are absolutely clear. Consent request should cover the specific processing details, the type of information needed, the purposes of the processing and any other aspects that may affect the individual. Consent is the first basis for processing set out in the Data Protection Act, but other conditions can apply as well, such as legitimate interest.
According to the GDPR
Within the GDPR, there are four main aspects to consent.
As a data controller, you have to make sure data subjects can choose whether or not they give their consent for data processing. Under no circumstances should consent be coerced. Also, since it is important to make sure data subjects have a choice, consent will not be used as a basis for processing when there is a clear imbalance between the controller and the data subject. A good example here is the case when the controller is a public authority or in the relationship between employer and employee. In the same manner, the performance of a contract will not be based on consent, unless it is necessary for the contract itself.
In the GDPR consent needs to be specific, meaning it cannot be bundled with other matters. Data subjects need to be told exactly why their data is needed and how it will be used. Consent cannot just be another box to check among a long list of other things. Also, once consent is obtained, the data can be used only for the purposes specified initially. Any time other purposes arise, a data controller needs to obtain separate consent for the new purposes. For instance, if someone gives you their name and email address to create an account on your website so that they can access certain content, you cannot start sending them emails with products you are selling. The initial consent was not given for marketing purposes.
The subject needs to know not only the purpose of the processing but also the identity if the controller. Otherwise, consent is not considered valid. Also, the language in which consent is requested has to be easy to understand for someone who has no legal knowledge.
Finally, the data subject wishes need to be clear. This means that pre-ticked boxes are not valid consent. Inactivity, the idea that “if you proceed or if you don’t disagree means you agree” is not valid either. Consent has to be consent in the real sense of the word, without any room for interpretation.
When dealing with special categories data - data revealing racial or ethnic origin, political opinions, religious beliefs, data concerning health, biometric and genetic data - consent needs to be explicit. This means there needs to be clear and affirmative action by the data subject. However, take into consideration, that processing special categories of data is prohibited. There are only a few exceptions.
Processing data of children is another special case. Consent is not enough and if the child is younger than 16, parental consent is required.
Another question asked by many is what will happen with the consent obtained prior to the GDPR. Should it be re-obtained? The short answer is no. The longer answer is that if you do not re-obtain it, you need to be able to provide records of how you obtained consent in the first place. You will also need to offer the data subject the possibility to withdraw consent, should they require it.