This is part four of a five-week series discussing General Data Protection Regulation (GDPR) and its implications for U.S. businesses and organizations.

Obtaining the consent of the data subject to “process” that individual’s data is a key concept under the General Data Protection Regulation (“GDPR”). Absent a legitimate interest, contractual necessity, or compliance with a legal obligation to justify the data processing at issue, the subject must provide appropriate consent. Given the broad definition of data “processing” activities in Article 4 (“any operation or set of operations which is performed on personal data or on sets of persona data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”), it is critical that entities subject to the GDPR understand the scope of the consent requirements under the regulation.

The type of consent required under the GDPR is informed consent, akin to the type of consent required in the health care context. Merely having an individual check a box or sign a piece of paper is not enough. You must demonstrate that you gave the individual, in a clear and easy to understand fashion, the information necessary to understand the scope and impact of the data processing and to make an informed choice regarding whether he or she wants to agree to the data processing. To stay in compliance with the GDPR’s consent requirements and obtain informed consent to data processing, entities subject to the GDPR must bear in mind the following:

Transparency. Data processors and controllers may only process an individual’s data if they have first informed the individual of the extent of the data processing and the uses to which the individual’s data will be put. (Recital 39) Specifically, data processors and controllers must inform data subjects of:

  • The identity of the data controller.
  • The specific purposes of the data processing, which must be “explicit and legitimate and determined at the time of the collection of the personal data.”
  • The period for which the personal data will be stored or, if that is not possible, the criteria used to determine the retention period.
  • The right to withdraw consent at any time.
  • Data subjects’ rights to obtain confirmation regarding their personal data that will be processed, including the right to access, correct, or erase personal data.
  • The risks, rules, safeguards, and rights in relation to the processing of personal data.
  • How they may exercise their rights regarding the processing of their personal data.

If the data will be processed for multiple, different purposes, the data subject must be informed of, and consent must be obtained for, each purpose.

Plain language. Any information and communications regarding data processing must be “easily accessible and easy to understand,” and “clear and plain language [must] be used.” (Recital 39) Similarly, consent provisions cannot be “buried” in another, longer document. If consent is given in the context of a document that also addresses other matters, the consent portion of the document must be “clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” (Article 7(2))

Affirmative act. Consent must be “freely given, specific, informed and unambiguous.” (Recital 32) The data subject must signify his or her consent through an affirmative act, such as by signing a written document, checking a box on a website, or other action that clearly demonstrates the subject’s intent to agree to the data processing. It is not appropriate to set up an “opt-out” system whereby the data subject has consented to the data processing unless he or she takes an affirmative action to show a lack of consent, as “[s]ilence, pre-ticked boxes, or inactivity” does not constitute consent.

Documentation. Whenever data processing is based on the consent of the data subject, the controller must be able to demonstrate that such consent was valid and documented. (Article 7(1))

Withdrawal of consent. A data subject may withdraw his or her consent to data processing at any time. (Article 7(3)) Data subjects must be informed at the time they give consent that such withdrawal will not retroactively invalidate any data processing that took place in accordance with the original consent. Data processors and controllers must make it as easy to withdraw consent as it is to give consent; for example, if a person can give consent to data processing by clicking a checkbox on a website, withdrawal of consent cannot require mailing a paper letter to a post office address.

Invalid consent. Consent is not valid if it is not freely given. For example, “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment,” consent is not freely given and is thus presumed to be invalid. (Recital 42) Similarly, in situations in which the controller’s performance of a contractual obligation or provision of a service is contingent upon the data subject’s granting of consent to process his or her personal data, consent is presumed to be invalid if data processing is not necessary for the controller to meet its obligations. (Recital 43; Article 7(4))

Consent for use of minors’ data. “Information society services,” which encompass online services such as social media sites, cannot be provided to minors under the age of sixteen without parental consent. (Article 8) (Note that individual Member States may establish laws permitting minors as young as thirteen to access information society services without parental consent.)

Consent for processing special categories of personal data. The processing of sensitive personal data, which is defined as data that reveals the subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data used for identification purposes, health information, and data concerning a person’s sex life or sexual orientation, is prohibited unless the individual has given explicit consent to the processing. (Article 9) Some Member States may prohibit the processing of such data in every situation, regardless of whether the data subject consents.

Limitations on data collection and processing. Data processors and controllers may only collect the personal data needed for the purpose of the data processing activity, and may only retain personal data for the time period needed to carry out the purpose of the data processing. (Recital 39) Personal data may not be retained in perpetuity, nor may personal data be used or processed for any purpose other than that for which the individual gave consent, unless additional consent is obtained or another, legitimate justification for the processing is demonstrated (such as compliance with legal requirements).

The GDPR’s informed consent requirements may come as a shock to many data controllers and processors who are not accustomed to the level of information sharing required to establish informed consent. Companies that are engaged in data collection or processing should carefully scrutinize their existing processes and reach out to legal counsel for assistance in determining changes that should be made to consent processes to ensure compliance with the law.