The Article 29 Working Party, the independent European Union advisory body on data protection and privacy, has published draft guidelines on the requirements for obtaining valid consent under the EU General Data Protection Regulation. This guidance comes on the heels of a well-timed announcement from IAB Europe that it is developing an industry consent solution that would allow publishers to obtain consent for third-party advertisers and ad tech companies to collect personal data from their website users. The GDPR, which was passed in April 2016 and will begin to be enforced on May 25, 2018, will impact businesses established in the EU, as well as businesses based outside the EU that offer goods and services to, or monitor individuals in, the EU. The GDPR is intended to harmonize data privacy laws across Europe and strengthen privacy protections for individuals within the EU. Penalties for violating the GDPR could be hefty. Organizations can be fined up to 4 percent of their annual global turnover for the most serious violations – including failing to obtain sufficient consent to process data.

Consent Guidelines

Consent is one of the six lawful bases for processing data under the GDPR. The GDPR defines consent as:

  • freely given;
  • specific;
  • informed; and
  • an unambiguous indication that a data subject agrees, through a statement or clear affirmative action, to the processing of his or her personal data.

The Working Party’s guidelines clarify each element of the definition and address any potential exceptions.

Freely given. The guidelines emphasize the need for individuals to have a genuine and consequence-free choice to provide consent. This means that a service cannot be conditioned on consent (unless the information is necessary in order to provide the service), and the individual should not be subject to higher fees, downgraded service or other penalties as a consequence of failing to give consent or of withdrawing consent. Unless consent is necessary to provide the service, it cannot be “bundled up” as part of non-negotiable terms and conditions. The guidelines also introduce the concept of granularity. When there are multiple purposes for processing data, granularity would require a separate opt-in consent for each processing purpose. As an example, if a company collects an email address both for marketing purposes and to share with company affiliates, the Working Party advises that the company should obtain a separate opt-in consent for each processing purpose, allowing the individual to agree to receive emails but not to have the email shared with affiliates (or vice versa).

Specific. A request for consent should specify the purpose for which the data is processed, be sufficiently granular and be separated from other matters. The goal here to is to avoid what the Working Party refers to as “function creep” – the gradual widening of purposes for which data is processed after the initial consent is obtained. Data collected for one purpose cannot subsequently be used for another purpose unless the individual gives an additional consent for that purpose. 

Informed. A controller must ensure that consent is given on the basis of information that allows individuals to easily identify who the controller is and to understand to what they are giving consent. Therefore, the controller must provide:

  • the controller’s identity;
  • the purpose for which the data will be used;
  • the type of data that will be collected and used;
  • the existence of the right to withdraw consent; and
  • if the consent relates to transfers, individuals should be informed about the possible risks of data transfers to third countries.

If multiple controllers will rely on the consent, each of those parties should be identified. Companies engaging in automated decision-making or profiling must disclose that use as well. The guidelines note that the GDPR does not prescribe the form in which the required information must be provided. Valid information may be presented in a number of ways, including written or oral statements, or audio or video messages. Unambiguous. Under the GDPR, consent requires a statement or a clear affirmative act from the data subject. Pre-checked boxes, silence or inactivity on the part of the data subject, as well as merely proceeding with a service, is not an active indication of choice. Public comment on the proposed guidelines is open through Jan. 23, 2018.

IAB Europe’s Consent Solution

IAB Europe’s GDPR Implementation Working Group has been developing an industry consent solution for both mobile and desktop that they plan to roll out in 2018. The proposed tool would allow publishers to request, obtain and store “global” (valid on all of the party’s properties on the internet) or “service-specific” (valid on a specific property) consent for data processing undertaken by themselves or their third-party partners. Importantly, the tool would enable publishers to update the information on which party is collecting data and the purposes for which the data is collected on a dynamic basis, satisfying the GDPR’s requirement that consent be informed and specific. IAB Europe’s solution will rely on an industry-managed central vendor list. To be eligible for the vendor list, third parties will need to commit to a set of principles, policies and minimum standards and to keep all of the relevant information about their practices and partnerships up to date. Companies who want to stay informed on the progress and launch of the tool can sign up for updates here.

Key Takeaways:

  • The Working Party, as it has in previous guidance documents, takes a fairly conservative approach in its interpretation of the requirements for obtaining valid consent – suggesting that not only does consent need to be specific as to the purposes of processing, but granular in its presentation so that individuals can choose which forms of processing to which they will consent.
  • The Working Party acknowledges the “click-fatigue” that results when users have to click multiple boxes in order to move forward on a website or mobile app. The guidance makes it clear that it is the burden of the data controller to apply the principles of privacy by design to create solutions that will meet the standards for consent, without burdening the user’s experience.
  • The guidelines make several references to the concept of companies conducting their own focus groups or studies, which would both help develop user-friendly mechanisms that satisfy the GDPR’s requirements and be used to document and make evident that a company’s practices are GDPR-compliant in the event of a complaint.
  • Ultimately, obtaining consent, particularly within the complex digital advertising ecosystem, will require some level of cooperation. Industry solutions, like IAB EU’s consent mechanism, will be essential to finding a path forward to comply with the GDPR without radically transforming the digital advertising industry.