“What's in a name? That which we call a rose by any other name would smell as sweet” said Juliet to Romeo in William Shakespeare’s famed romantic play, indicating that her love for him was no less despite his status as a member of the rival house Montague.
Yet when it comes to consent, it seems a name - or, perhaps more accurately, a qualifying adjective - can make a big difference. The concepts of “unambiguous” consent and “explicit” consent under the GDPR have attracted excited debate - is there a difference between the two and, if so, why does it matter?
Why does the issue arise?
If relying on consent to collect and use an individual’s personal data, the GDPR says that this consent must be:
- “unambiguous” if the data in question is ordinary, non-sensitive personal data (Art 6 of the GDPR says that “consent” is needed, and Art 4 defines consent to be “unambiguous” - hence “unambiguous” consent); but
- “explicit” if the data in question is sensitive personal data (i.e. relates to any of the categories of sensitive data listed in Art 9(1) of the GDPR, such as physical or mental health data, racial or ethnic origin, and so on).
But is there a difference? Isn’t “consent” consent, regardless of whether given unambiguously or explicitly? After all, GDPR says that consent, whether or not explicit, should be given “by a statement or by a clear affirmative action” and “signif[y] agreement to the processing of personal data” (Art 4). Recital 32 adds to this, saying that any consent “should be given by a clear affirmative act … such as by a written statement, including by electronic means, or an oral statement.”
So when you take all that into account, does it make qualifiers like “unambiguous” and “explicit” redundant? Are they simply an oversight of the legislative drafting process?
There IS a difference!
In fact, no. The issue of what standard of consent should apply under the GDPR went all the way to the wire, with the original Commission proposalcalling for “explicit” consent in all cases, both ordinary and sensitive data processing. In its original proposal, it said: “In the definition of consent, the criterion 'explicit' is added to avoid confusing parallelism with 'unambiguous' consent and in order to have one single and consistent definition of consent, ensuring the awareness of the data subject that, and to what, he or she gives consent.”
The issue of what flavour of consent should prevail ran the entire course of the legislative negotiations between the Commission, Council and Parliament, only finally being resolved in December 2015, when the negotiated text of the GDPR was eventually agreed. And, by this time, “explicit” consent had become “unambiguous” consent - at least for ordinary personal data - as the covering notesreveal: “On the final outstanding issues that were discussed in trilogue, the following balance was achieved. The way in which consent is to be given by data subjects remains “unambiguous” for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.”
There you have it then. This was no drafting oversight, but a clear and conscious compromise between the negotiating parties - even if a reluctant one. The fact that they settled on different qualifiers (unambiguous vs. explicit) for the different types of data (ordinary vs sensitive) is a clear linguistic indicator that there is a difference between the two - especially when you understand the history as to how these positions were reached.
It shouldn’t be a surprise really - when a piece of legislation has been debated as long and hard as the GDPR was (four years!), would legislators really make such a simple error on such a critical point of the new law? Clearly not.
So WHAT is the difference?
If you accept there is a difference between “unambiguous” and “explicit” consent, the question then becomes “what is the difference?” The GDPR makes crystal clear is that even unambiguous consent must be given by an affirmative action - so does that mean implied consent is no longer possible?
To answer that, let’s start with the easy case first. If someone says “Yes, I agree” or ticks an unchecked box to say “I consent”, they have indicated their consent through an affirmative action. Not only that, but they have done so through an explicitaffirmative action - sufficient to satisfy the consent requirements for both ordinary personal data AND sensitive personal data processing.
But what about a situation where an individual never says “I agree”, and never ticks a box to say “I consent”. In these cases, they are not giving any kind of explicit consent - but can their consent still be inferred or implied?
The short answer is yes, but only provided certain conditions are met. While it’s certainly true that the GDPR says “Silence, pre-ticked boxes or inactivity should not … constitute consent” (Recital 32), it’s worth noting that it also says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data” (Recital 32 again).
Consider, for example, a web visitor entering an online competition. The visitor completes the entry form providing his name and address details, these being necessary to enter. In addition, he enters his e-mail address into an e-mail field marked “optional”, with a short disclaimer underneath reading “Enter your e-mail address to receive information about products and services we think will interest you”.
Or consider the patient who walks into a doctor’s office and tells the doctor all about the medical ailment from which he or she is suffering, while the doctor enters notes into his computer system. Or the person who drops their car off at the mechanic and gives their phone number so the mechanic can call them once their car is ready.
In each of these scenarios, could it be said that the individual gave their “explicit” consent? It’s doubtful - at no point did they explicitly tick, sign or say anything indicating “I agree to the processing of my personal data by X for the purposes of Y and Z”. And yet, in each case, it’s hard to deny that consent has been given through “an affirmative act” by means of a “statement or conduct which clearly indicates in this context the data subject’s acceptance”.
Put another way, their consent is unambiguous and implied, but not explicit.
WHY does this even matter?
The reason is simple: the two different models of consent translate into very different engineered solutions within products and services. In one, the “explicit” consent model, nothing short of a opt-in tick box or declaratory consent statement will do. In the other, the “unambiguous” consent model, a prominent notice, together with an “affirmative action”, may suffice to obtain implied consent without the need for an opt-in box.
That’s not to say that implied consent is appropriate in all contexts - depending on your audience (e.g. children), the nature of the data (e.g. legally sensitive data, or other sensitive data like bank details or social security numbers), or simply the context in which the data is collected, then it may be that an explicit, opt-in style consent is appropriate or legally required. But it’s not required in all cases - and this can make a big difference in terms of the interface presented to the user and how he or she interacts with the product or service in question.
All in all, then, “unambiguous” and “explicit” consent are not simply a rose by any other name, but nor are they chalk and cheese. Both rely on clear transparency, an “affirmative action” (whether explicitly given or inferred through conduct), and a subsequent right of withdrawal (i.e. opt-out). Their differences are subtle, but their similarities are great.