NOTE: What might appear to be a lengthy article below is a mere summary of requirements as set out in the GDPR. The reader might be well advised to supplement this content with further detailed material as supplied, for example, by the Article 29 Working Party. The content also has a UK bias, with e.g. references to the ‘BT phone disc’ and the ‘open electoral register’.
The content below covers the following:
Elements of valid consent
Withdrawal of consent
Children and consent
Data subjects’ rights
Consent obtained under the old Directive
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.
Many organisations’ generic privacy notices prove inadequately transparent, or impractical, when informing individuals about or requesting their use of consent as a lawful basis for processing of personal data. Consent is at the very heart of data protection. If an individual does not understand what you are doing with their personal data, the practical effect is that you can’t do it, whatever it is. The same is true for consent – if a person doesn’t understand what you’re doing, you can’t argue that they have consented to it.
In support of the generic privacy notice, layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand.
Elements of valid consent
The GDPR is clear – ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
FREELY GIVEN – The element ‘free’ implies real choice and control for individuals. It is probably better described when asking whether an indication is not freely given. Consider Recital 42 which states: Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
And Recital 43 – In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller. Consider, for example, that it is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, say, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees. In this particular example it’s likely the employer could rely on a legitimate interest instead.
Recital 43 continues - Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
Article 7 – When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. If your app doesn’t need, say, location data to function – you can’t ask for it as a condition for using your app. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
SPECIFIC – Article 6 states that processing shall be lawful only if and to the extent that…(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The specific purposes for which personal data are processed should be explicit and legitimate.
Recital 32 states: Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. Bundling consent with acceptance of terms or conditions, or ‘tying’ the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable. A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. It’s obvious then, that blanket consent for future or further processing is not allowed.
To comply with the element of 'specific' the controller must apply:
Purpose-specification as a safeguard against function creep;
Granularity in consent requests; and
Clear separation of information related to obtaining consent for data processing activities from information about other matters.
Correctly setting up and maintaining your data mapping is crucial.
INFORMED – Providing information to data subjects prior to obtaining their consent is essential in order to enable them to make informed decisions, understand what they are agreeing to, and for example, exercise their right to withdraw their consent. This relates directly to the adequacy (or not) of a generically produced privacy notice.
The consequence of not complying with the requirements for informed consent is that consent will be invalid and the controller may be in breach of Article 6 of the GDPR.
For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. The Article 29 Working Party is of the opinion that, at least, the following information is required for obtaining valid consent:
the controller’s identity,
the purpose of each of the processing operations for which consent is sought,
what (type/s of) data will be collected and used,
the existence of the right to withdraw consent,
where relevant, information about the use of the data for automated decision-making, and
on the possible risks of international data transfers due to absence of an adequacy decision and of appropriate safeguards
How to provide the information – The GDPR does not prescribe the form or shape in which information must be provided in order to fulfil the requirement of informed consent. This means valid information may be presented in various ways, such as written or oral statements, or audio or video messages. However, the GDPR puts several requirements for informed consent in place.
Recital 32 – Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. Controllers cannot use long privacy notices that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. This requirement essentially means that information relevant for making informed decisions on whether or not to consent may not be hidden in general terms and conditions.
A controller must assess what kind of audience it is that provides personal data to their organisation. For example, in case the targeted audience includes data subjects that are underage, the controller is expected to make sure information is understandable for minors.
Article 7(2) addresses pre-formulated written declarations of consent which also concern other matters. When consent is requested as part of a (paper) contract, the request for consent should be clearly distinguishable from the other matters. If the paper contract includes many aspects that are unrelated to the question of consent to the use of personal data, the issue of consent should be dealt with in a way that clearly stands out, or in a separate document. Likewise, if consent is requested by electronic means, the consent request has to be separate and distinct, it cannot simply be a paragraph within terms and conditions or buried in a lengthy privacy notice. To accommodate for small screens or situations with restricted room for information, a layered way of presenting information can be considered, where appropriate, to avoid excessive disturbance of user experience or product design.
UNAMBIGUOUS INDICATION – It must be obvious that the data subject has consented to the particular processing. A ‘clear affirmative act’ means that the data subject must have taken a deliberate action to consent to the particular processing. A controller must also beware that consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service. Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data.
In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue i.e. when encountered too many times, the actual warning effect of consent mechanisms is diminishing.
This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue.
An often-mentioned example to do this in the online context is to obtain consent of Internet users via their browser settings. Such settings should be developed in line with the conditions for valid consent in the GDPR, as for instance that the consent shall be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.
Explicit consent is required in certain situations where serious data protection risk emerge, hence, where a high level of individual control over personal data is deemed appropriate. Under the GDPR, explicit consent plays a role in:
Article 9 on the processing of special categories of data,
the provisions on data transfers to third countries or international organisations in the absence of adequate safeguards in Article 49, and
in Article 22 on automated individual decision-making, including profiling
The term ‘explicit’ refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature.
Two-stage verification of consent can also be a way to make sure explicit consent is valid. For example, a data subject receives an email notifying them of the controller’s intent to process a record containing medical data. The controller explains in the email that he asks for consent for the use of a specific set of information for a specific purpose. If the data subject agrees to the use of this data, the controller asks him or her for an email reply containing the statement ‘I agree’. After the reply is sent, the data subject receives a verification link that must be clicked, or an SMS message with a verification code, to confirm agreement.
Article 7 of the GDPR sets out additional conditions for valid consent, with specific provisions on keeping records of consent and the right to easily withdraw consent. Article 7 also applies to consent referred to in other articles of GDPR, e.g. Articles 8 (Children) and 9 (Special categories).
Recital 42 states: Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.
Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn’t be collecting any more information than necessary.
After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).
For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website.
There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.
It is considered best practice that consent should be refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights.
Using publicly available data or data from third parties
There are legitimate public sources for addresses (the open electoral register) and phone numbers (the BT phone disc, which includes all residential phone numbers that are not ex-directory). And the GDPR does not stop you from buying marketing lists. However, if your data source is illegitimate or the seller not accredited or you can’t verify that the individuals gave specific consent to your organisation, you cannot comply with the principle of ‘lawfulness, fairness and transparency’.
There are numerous, recent examples of enforcement notices and monetary penalties against organisations who fail to ensure that they do indeed have the proper consent and that the data was fairly obtained. An organisation that shares or sells data to you is a data controller, but you become the data controller for it once it is received. You cannot claim innocence or ignorance if it turns out that the data is stolen, or the supplier has misrepresented the purposes for which it was obtained.
The onus is on the data controller (that’s you) to ensure that they have consent, and that data that they obtain is fairly obtained. Assurances from the data supplier are not enough; you need evidence that the data is what they claim it to be.
Withdrawal of consent
The controller must ensure that consent can be withdrawn by the data subject as easy as giving consent, and at any given time. The GDPR does not say that giving and withdrawing consent must always be done through the same action. However, when consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily. Where consent is obtained through use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole reason of withdrawing consent would require undue effort. Furthermore, the data subject should be able to withdraw his/her consent without detriment. This means, inter alia, that a controller must make withdrawal of consent possible free of charge or without lowering service levels.
The requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. If the withdrawal right does not meet the GDPR requirements, then the consent mechanism of the controller does not comply with the GDPR.
As a general rule, if consent is withdrawn, all data processing operations that were based on consent and took place before the withdrawal of consent - and in accordance with the GDPR - remain lawful, however, the controller must stop the processing actions concerned. If there is no other lawful basis justifying the processing (e.g. further storage) of the data, they should be deleted by the controller.
This is why it is very important that controllers assess the purposes for which data is actually processed and the lawful grounds on which it is based prior to collecting the data. Often companies need personal data for several purposes, and the processing is based on more than one lawful basis, e.g. customer data may be based on contract and consent. Hence, a withdrawal of consent does not mean a controller must erase data that are processed for a purpose that is based on the performance of the contract with the data subject. Controllers should therefore be clear from the outset about which purpose applies to each element of data and which lawful basis is being relied upon.
Compared to the old directive, the GDPR creates an additional layer of protection where personal data of vulnerable natural persons, especially children, are processed. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The words ‘in particular’ indicate that the specific protection is not confined to marketing or profiling but includes the wider ‘collection of personal data with regard to children’.
Article 8(1) states that where consent applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Regarding the age limit of valid consent, the GDPR provides flexibility. Member States can provide by law a lower age, but this age cannot be below 13 years. Note that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
As mentioned in section 3.1. on informed consent, the information shall be understandable to the audience addressed by the controller, paying particular attention to the position of children. In order to obtain “informed consent” from a child, the controller must explain in language that is clear and plain for children how it intends to process the data it collects. If it is the parent that is supposed to consent, then a set of information may be required that allows adults to make an informed decision.
The controller must be aware of those different national laws, by taking into account the public targeted by its services. In particular it should be noted that a controller providing a cross-border service cannot always rely on complying with only the law of the Member State in which it has its main establishment but may need to comply with the respective national laws of each Member State in which it offers the information society service(s). This depends on whether a Member State chooses to use the place of main establishment of the controller as a point of reference in its national law, or the residence of the data subject.
When providing information society services to children on the basis of consent, controllers will be expected to make reasonable efforts to verify that the user is over the age of digital consent, and these measures should be proportionate to the nature and risks of the processing activities.
Although the need to undertake reasonable efforts to verify age is not explicit in the GDPR it is implicitly required, for if a child gives consent while not old enough to provide valid consent on their own behalf, then this will render the processing of data unlawful.
If the user states that he/she is below the age of digital consent then the controller can accept this statement without further checks but, will need to go on to obtain parental authorisation and verify that the person providing that consent is a holder of parental responsibility. Age verification should not lead to excessive data processing. The mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor.
Article 8(2) particularly adds that ‘The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology’
Regarding the authorisation of a holder of parental responsibility, the GDPR does not specify practical ways to gather the parent’s consent or to establish that someone is entitled to perform this action. As a general rule, controllers should adopt a proportionate approach and avoid verification solutions which themselves involve excessive collection of personal data. WP29 acknowledges that there may be cases where verification is challenging (for example where children providing their own consent have not yet established an ‘identity footprint’, or where parental responsibility is not easily checked. This can be taken into account when deciding what efforts are reasonable, but controllers will also be expected to keep their processes and the available technology under constant review.
Data subjects’ rights
If a data processing activity is based on a data subject’s consent, this will affect that individual’s rights. Data subjects may have the right to data portability (Article 20) when processing is based on consent. At the same time, the right to object (Article 21) does not apply when processing is based on consent, although the right to withdraw consent at any time may provide a similar outcome.
Articles 16 to 20 of the GDPR indicate that (when data processing is based on consent), data subjects have the right to erasure when consent has been withdrawn and the rights to restriction, rectification and access.
Consent obtained under the old Directive 95/46/EC
Recital 171 – Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation
For example, as the GDPR requires that a controller must be able to demonstrate that valid consent was obtained, all presumed consents of which no references are kept will automatically be below the consent standard of the GDPR and will need to be renewed. Likewise, as the GDPR requires a ‘statement or a clear affirmative action’, all presumed consents that were based on a more implied form of action by the data subject (e.g. a pre-ticked opt-in box) will also not be apt to the GDPR standard of consent.
Furthermore, to be able to demonstrate that consent was obtained or to allow for more granular indications of the data subject’s wishes, operations and IT systems may need revision. Also, mechanisms for data subjects to withdraw their consent easily must be available and information about how to withdraw consent must be provided. If existing procedures for obtaining and managing consent do not meet the GDPR’s standards, controllers will need to obtain fresh GDPR-compliant consent. Think too about the children – parental consent – age verification mechanisms etc.
If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR-compliant way. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable –as a one-off situation- to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event the controller needs to observe the principles of lawful, fair and transparent processing.
Most organisations, as they began or refreshed their GDPR compliance journeys would (or should) have completed a review of their organisation processes, purposes for processing personal data, their associated lawful bases and the like. This data mapping exercise should have presented a baseline against which the organisation could establish any compliance gaps. With regards consent, whether in respect of prior consent or, going forward, the kinds of questions to be asked include, but are not limited to:
Is the processing purpose lawful?
Is consent a valid lawful basis for this purpose?
Is (and was) consent the appropriate lawful basis for this purpose?
Has the personal data been fairly obtained and can you demonstrate this?
Are your data subjects properly and timeoulsy informed?
Are they given the relevant and appropriate choices and can they easily withdraw consent?
Is your relationship with third party suppliers under written contract?
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018