The official recommendations on consent are now in: The WP29 has come out with a thorough analysis of consent in the GDPR and its effects in practice. In this article we will go over some of the most important changes and suggestions.
Consent in General
Consent is one of the six lawful processing bases in the GDPR. Article 4(11) defines it as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR does not significantly change the concept of consent itself, but introduces additional restrictions and procedures for obtaining and handling consents.
Elements of Consent
There are several elements that are required in order for any consent to be valid. Thus, as stated above, consent must be freely given, specific, informed and unambiguous. In the following sections we will summarise the most important recommendations and suggestions of WP29.
Data subjects must have real choice whether to consent or not. It must not be a non-negotiable requirement for use of services or sites. Refusal to consent must not affect the use of services and tools. If that would be the case, then your processing would perhaps be better based on contractual obligations than consent.
For example, a website that requires you to surrender your location data in order to use its features (if they are otherwise nonessential for the service) cannot process your data based on consent as it is not considered freely given.
There also must be a clear balance of power, thus public authorities and employers generally cannot rely on consent for their processing purposes, unless it is possible to fully continue using their services or employment without ill effects. If there are no real alternatives to consenting, or there is a risk of mistreatment or pressure due to lack of consent, processing cannot be based on it.
Individuals also must have the ability to withdraw consent at any time without any ill effects on other data processing activities or services rendered.
Consent must not be ‘bundled’, i.e. multiple purposes cannot be grouped together for consent. Individuals should be allowed to give or reject consent for each of the purposes separately. Data controllers are also barred from tying the consent requirement with provision of services or contracts. Processing based on consent must not in any way affect other contractual obligations.
Consent is only valid when given for a specific, legitimate purpose. Several processing operations may be covered under one consent, as long as they serve a single purpose. Data cannot be used for other purposes without re-obtaining consent for the purposes.
Each separate purpose must be treated as a separate consent with all the relevant information. Consenting to one purpose must not affect the ability to consent or revoke consent for other purposes.
WP29 reiterates the requirement for transparency, and one of the key aspects is providing enough information to individuals so that they can make an informed decision on whether to consent or not. It goes without saying that consent is invalid otherwise.
There are several pieces of information that, according to WP29, a consent form must have in order for consent to be valid:
- Identity of the controller
- The purpose for processing
- Type of data collected and used
- Explanation of data subject’s rights, including the right to withdraw consent
- Information of the existence of profiling and/or automated decision-making
- Existence of any data transfers to third-countries without adequacy decisions
The GDPR does not explicitly prescribe the manner in which this information should be provided. Presumably, written, oral, video or audio messages can all be appropriate. However, regardless of the method of transfer, the substance must be clear for the intended audience.
Consent request must be presented in such a way that it stands out from other information so that users can see it clearly and to prevent consenting inadvertently. For example, burying it in a long list of terms and conditions is not allowed.
Consent must be signalled by a clear affirmative action. This means either signing a form, verbally agreeing or ticking a checkbox. The bottom-line is: consent cannot be assumed such as with pre-ticking checkboxes and stating that “by continuing the use of your service, the individual consents to use of their personal data”.
Consent via electronic means is particularly difficult to collect properly, since it requires a degree of disruption to user experience. However, this disruption (via pop-up or nag windows) is often unavoidable. WP29 fears this might create ‘click fatigue’ in users, resulting in them consenting without having read the notices at all.
Processing of special categories of data, data transfers to third countries and automated-decision making are considered especially risky, and require explicit consent. Since regular consent already requires a “clear affirmative act”, it can be difficult to determine how exactly explicit consent would work, since it demands a higher standard of consent.
WP29 holds that ‘explicit’ consent applies to the way consent is expressed. For example, a written and signed statement would be an example of explicit consent. For online services, two-factor authentication, filling in a form, sending a confirmation e-mail or uploading a scan of an ID are considered valid examples of explicit consent. In essence, a consent is explicit when the data subject takes an additional action or step confirming the consent.
Data controllers are required at all times to be able to demonstrate that they have been given consent by the data subjects whose data they process. However, by doing so, they must be careful not to go overboard and collect too much data. Proof of consent should be kept after the processing activity ends, but not for longer than necessary for compliance with legal obligations or legal defence.
There are no time limits for the validity of consent, as long as the processing operations remain consistent and true to the purpose for which the consent had been obtained. However, it is recommended that companies refresh consent periodically. This will also ensure that users update their personal data that might have changed.
Companies must inform the individual of their right to withdraw consent at the time of request. Data subjects can withdraw their consent at any time, and withdrawing should be as easy as consenting. If consent was given via a few mouse clicks, data subjects should be able to withdraw their consent with a few mouse clicks as well.
Withdrawing consent must always be free of charge and never result in lower service levels. If it would, then the processing operation most likely shouldn’t have been based on consent in the first place.
After withdrawal, all processing operations should be ceased immediately and the data deleted or anonymised, unless there is another lawful basis that the company could base their processing on. However, they must notify the data subject of their intention to carry on with their processing under a new lawful basis.
Interaction Between Bases
It is possible to base one’s processing of the same data upon various legal bases, but as long as the data is processed for different purposes under each lawful base. Swapping of lawful bases is forbidden, and controllers cannot use bases as “back-ups” in case one base proves to be illegitimate.
Other Points of Concern
The requirements for consent are more permissive for scientific research, namely when it comes to purpose limitation. The nature of scientific research could be such that it can be difficult to determine the exact purpose in advance. It must, however, be described at least at a general level. If appropriate, such data should be pseudonymised for additional security. The requirement is that research is ethically sound, however the personal data must still be covered under consent.
In a way, the lack of exact purpose can somewhat be mitigated by increasing transparency, so that individuals whose data is being processed can see more precisely what is being done with it. Then, the data subjects can more clearly determine if they want to withdraw their consent. There are no exceptions for withdrawal even if it would undermine the research process. Such data must be anonymised if researchers wish to use it again.
We have already talked extensively on the issue of children’s consent. The issues with practicality of verifying consent are also reiterated by the WP29, which recommends the approach of data minimisation, so that as little data as possible is collected.
The ‘aggressiveness’ of verifying parental consent should be proportionate to the risk level of data. Verification of consent for low-risk data can be sufficiently achieved via e-mail itself, but in high-risk cases additional safeguards are required – the data controller must show they have taken reasonable efforts to validate consent.
Consent is not required for cases of child protection services when they are offered directly to children.
Existing Consent Under the Data Protection Directive
Currently valid consent does not necessarily need to be refreshed automatically. However, it is extremely likely that it hasn’t been obtained according to the stricter requirements of the GDPR. Every data controller should conduct a detailed analysis to determine if their current consent practices meet the future GDPR standard.
Note that if you are not able to demonstrate consent, it is considered invalid. You must have adequate references of consent, otherwise it is prudent to refresh it according to the GDPR requirements.
If the consent would be invalid under the GDPR, consider whether another lawful basis would be able to replace it. This is the only situation where it is possible to swap between lawful bases, but it is only a “one-off situation” to ease the data controllers into complying with the GDPR.
Overall, the WP29’s interpretation of consent is sound and does not deviate much from what we anticipated. At least in this part of the GDPR, the message is clear and unambiguous: Consent should be explicit and informed, no exceptions. Data controllers must be able to prove the existence of consent and individuals must be notified of their right to withdraw it at any time. It truly is reasonable and in line with the expectations set by the GDPR text itself.