The requirements around consent for processing data have been strengthened by the General Data Protection Regulation (GDPR).
This means that where a business intends to rely on consent for the lawful processing of personal data, they must be able to demonstrate that valid consent has been received from each individual whose personal data is being processed.
Lawful basis for processing data under the GDPR
To be a valid lawful basis for processing data, consent must be freely given, specific, informed, unambiguous and be in plain language. Individuals also have the right to withdraw consent at any time and it must be as easy to withdraw as to give consent.
Consent will not be regarded as freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent without detriment eg in an employee / employer relationship. If processing has multiple purposes, consent should be obtained for each of them. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations. For consent to be informed, the individual should be aware of the identity of the controller and the processor and the purpose of the processing. An unambiguous indication of an individual’s consent may include ticking a box when visiting a website or a statement or conduct which clearly indicates the individual’s acceptance of the proposed processing of their personal data eg responding to an email requesting consent. Silence, pre-ticked boxes or inactivity will not constitute consent. The onus will be on the business to demonstrate that consent has been received and so a record should be kept which evidences consent.
Age of consent under the GDPR
Under the GDPR, the age of consent in relation to digital services is 16 but the Irish Government recently announced that it will lower this to 13 years. This means that businesses will need to get consent from the parent or guardian before they allow children under the age of 13 to access their online services.
Special categories of data under the GDPR
Where special categories of personal data are processed (such as data relating to health, political opinions or religious beliefs) an individual must give explicit consent unless the business proposes to rely on another basis as set out in the GDPR to process the individual’s personal data eg processing is necessary to perform obligations under employment, social security or social protection law.