Click here for audio

The European Union’s General Data Protection Regulation, the GDPR, becomes directly applicable law on May 25, 2018. The Data Privacy Detective explored in prior podcasts the broad scope of personal data, the differences between controllers and processors and other matters, including how processing can be lawful. That includes several specific, limited instances when acquisition and use of personal data can be legitimate in the absence of express consent of the persons whose data are held.

Since the 1995 EU Directive on data privacy, the EU has been known as an “opt-in” area. “Opt-in” means that a person expressly consents in advance to the collection and use of personal data. By contrast, the “opt-out” approach used in many other jurisdictions means the data subject (the person) must “opt out” of use of the individual’s personal data. In the “opt-out” method, a business can post a privacy policy and tell the individual to contact it if the person does not want his or her data used by the business, but otherwise the business will be free to use the data as it wishes pursuant to its privacy policy. That approach requires the person to take affirmative action to instruct the party that holds personal data not to use it for various purposes. So, what does the GDPR say about consent, the primary basis on which it is permissible to gather and use personal data of persons in the EU?

The starting point is Article 4.11, where consent is defined to mean “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data referring to him or her.” This is plain “opt-in” language. Let’s consider each part of this definition.

Article 7 sets forth the Conditions for Consent. Article 7.2 calls for consent to be provided “in a manner which is clearly distinguishable from the other matters.” This rules out a web design with one click - “click here to buy the goods and you thereby consent to our privacy policy.” A distinct choice or form must generally be offered about data privacy matters separate from formation of a contract or other relationship between a person and a second party. 7.3 gives persons the right to withdraw consent, which must be as easy to demand as to grant consent.

“Freely given” means that a website or other form cannot obtain consent implicitly. Article 7.4 says that when performance of a contract is “conditional on consent to the processing of personal data,” the grant of consent should not extend to personal data not needed to perform the contract. As Recital 39 says, information and communication must be “easily accessible and easy to understand.” Recital 42 warns that a consent format “preformulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.” Preformatted boxes with consent pre-checked cannot be used. “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” Recital 43 adds that consent is not freely given if “there is a clear imbalance between the data subject and the controller.”

The word “specific” in the definition of consent is important. Even if consent is appropriate as to one form of processing, it “is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations.” Businesses must therefore consider having more than one click box when one form of processing may be obvious, but others are not. For example, when a customer buys goods and provides address and payment details for that purpose, this does not express consent to the business using the data for other purposes, such as sharing details with third parties not needed to complete the purchase and delivery of what was ordered.

For consent to be “informed and unambiguous” the use of plain language is needed, as described above, and the wording must be done to comply with the transparency principle of the GDPR, including “to what extent the personal data are or will be processed.” Recital 39. Data subjects must be “made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.” Recital 39.

When obtaining a minor’s consent, Article 8 does not allow someone under 16 years of age to grant consent without a parent or guardian’s express consent – unless a member state lowers that age to between 13 and 16, as some member states have chosen to do, and others have not.

While some forms of implicit consent will be obvious and appropriate (e.g., EU resident buys a product by internet and supplies delivery address), special categories of personal data demand clear, specific, express consent. Article 9.2.

The GDPR’s general preference for express consent as it defines that means that businesses inside and outside the EU must consider redesigning their forms and processes where personal data will be gathered or used. Privacy by design and privacy by default – pillar concepts of the GDPR – must be the guiding principles of how consent can be obtained and recorded for use later in proving compliance.