The UK Information Commissioner’s Office (ICO) recently published draft guidance on obtaining consumer consent under the upcoming EU General Data Protection Regulation (GDPR), which goes into effect in May 2018. The ICO has requested feedback on their recommendations to help companies review their practices for seeking, obtaining, and recording consents.
As under the existing Data Protection Directive, the GDPR requires that consent be freely given, specific, informed and accompanied by an indication signifying agreement. According to the ICO’s guidance, however, GDPR is clearer that an indication of consent must be “unambiguous” and involve a “statement” or a “clear affirmative action.” As a result, the draft guidance directs companies to use more granular opt-in methods, while maintaining good records of consent and simple and easy-to-access ways for people to withdraw consent at any time. Specifically, the ICO notes that pre-ticked opt-in boxes are invalid; consents must be kept separate from other terms and conditions; consents should not be a precondition of signing up to a service; and any third parties who will rely on the consumer’s consent must be named. The ICO has also provided checklists in its guidance that set out steps for obtaining valid consent under GDPR.
Companies should keep in mind that consent is not always required, and there may be another lawful basis for processing data that is more appropriate. Moreover, consumers generally have stronger rights under GDPR when processing is based on consent—for example, the “right to be forgotten” and the right to data portability. If a company’s existing consent mechanisms meet the GDPR standard, there is no need to obtain fresh consent. Either way, as noted in prior posts, companies should be assessing their current practices and creating new internal procedures as needed to ensure compliance.
TIP: Companies with comments on this draft guidance should consider providing feedback to the ICO using a form available here by March 31. The ICO will publish a summary of responses received. Watch this space for updates based on the ICO’s final published guidance, expected in May.