What is consent?
Consent has always been an essential part of any interaction that involved the sharing of personal details. However, with the implementation of the General Data Protection Regulation (GDPR), consent has been receiving a lot of close reviews. Read more about GDPR here.
Article 4 of the GDPR defines consent as
"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
Consent gives the data subjects (the users) real choice and control over the processing of their data. It helps in building trust and confidence and improves your (the data controller) relationship with the data subject. It is a safe practice to follow to protect the rights of people.
This article explores the requirements of consent and how you can manage it.
When is consent required and when it is not?
Consent may be one of the vital parts of the GDPR, but it is not always required. Article 6 of GDPR states six lawful bases for processing the data and consent is one of them. The other five are:
- Contractual Obligation: the processing is necessary for the performance of a contract the data subject is part of or to perform a task requested by the data subject before entering into a contract.
- Legal Obligation: the processing is necessary for complying with a legal obligation under the laws of EU member states.
- Vital Interests: the processing is necessary to protect the vital interests of the data subject or any other natural person.
- A Public Task: the processing is necessary to carry out a public task, or you are a public authority.
- Legitimate Interests: the processing is necessary to carry out for your legitimate interests or of any third party. An exception is when the legitimate interest is outweighed by the interest or fundamental rights and freedom of the data subject, especially if it is a child.
If any of these five bases apply, you might not require consent from the data subjects. However, this is conditional. If the processing of data might put the fundamental rights and freedom of the data subjects at risk, it is reasonable to request their consent. It also applies when the processing involves ‘sensitive’ data such as information about data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation.
What are GDPR consent requirements?
There are four conditions for consent laid out by GDPR:
- You must be able to demonstrate that they obtained consent from the data subject before processing the data. It can be achieved by well documenting the consent obtained.
- If the consent request is in the form of a written declaration, then it must be presented in clear and plain language. It should be easily accessible and distinguishable from other declarations.
- The data subjects have the right to withdraw their consent at any time, and you should share this information before they grant consent. Withdrawing consent should be made as easy as it was to give it.
- When assessing whether the consent is freely given, irrespective of any contract the data subject is under, the processing should not be based on data not required for completing the contract.
In the case of children, you must make sure they meet the minimum age requirement (16 years); otherwise, ask for parental consent. The minimum age requirement is subject to the laws of respective EU member states but should not be below 13 years.
GDPR further details the requirements for valid consent.
The data subjects should not feel compelled to give consent to process their personal data. It includes not being able to give consent because of non-negotiable terms and conditions. In short, any consent that prevents the data subjects from exercising their free will is invalid.
Consent is valid when
- the purpose of the data collection is specified;
- it is granular, i.e., separate consent request for different activities; and
- information relating to it is clearly distinguishable from information about other matters.
For consent to be informed, you must inform the data subjects about the following:
- your identity;
- the intended purpose of the processing;
- the type of data that will be collected and used;
- where the data will be used and stored, and for how long;
- the right to withdraw consent;
- the use of the data for automated decision-making where relevant; and
- the possible risks of data transfer and the appropriate safeguard measures.
A consent is unambiguous when it is given by explicit affirmative action, such as written statements, including by electronic means, or oral statements. It includes consent obtained via tick boxes, technical settings changed by the data subject or any clear statement that indicates the data subject’s agreement. However, silent, pre-ticked boxes and inactivity are not valid consent.
The data subject has the right to withdraw their consent at any time they wish and without any justification. You must stop processing or storing the data once you receive the request. Withdrawing consent should be as easy as it was to give it. An opt-out option should be made available at every step of the way, and you must make sure that the data subject is aware of the same before granting consent.
How to get consent?
Consent request can be made through various active opt-in methods, such as
- signing consent statements on a paper form;
- ticking opt-in boxes, on paper or electronically;
- clicking opt-in buttons or links;
- selecting from yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to emails requesting consent;
- agreeing to oral consent requests;
- volunteering optional information for a specific purpose.
How long does consent last?
GDPR does not have a time limit for storing consent. However, it may depend on the following scenarios:
- The processing or the original purpose for which the consent was obtained evolve, and the consent no longer fulfils the GDPR requirements. In this case, you should obtain fresh consent.
- If the data subject withdraws the consent, you should stop the data processing based on it. It does not affect the lawfulness of the processing before the withdrawal.
- Parental consent should be refreshed more regularly as the children will reach the age at which they can consent themselves.
What is cookie consent in GDPR?
If you are a website owner, you know the value of cookies. They help monitor your website’s function and helps in better user experience. However, the visitors may find some of these cookies unnecessary or annoying, especially those placed by the third-party or used for advertisements. It sure does raise concerns when someone is monitoring and tracking your online activity. With the implementation of GDPR and ePrivacy Directive (the EU Cookie Law), it has become important to get explicit consent, and it should be requested before using the cookies. Some websites used to assume consent from the user’s inactivity or silence to the cookie notifications. It is implied consent and may not be considered valid under the laws except in specific circumstances. Cookie banners should, therefore, clearly state the consent request and abide by all the GDPR requirements. Read more about cookie consent under GDPR and how to create GDPR compliant cookie banners.
What happens when you fail to get a valid consent?
Failure to get a valid consent is a severe violation of principles of GDPR. You could face a hefty fine of up to €20 million or 4% of your total worldwide annual turnover, whichever is higher. Invalid consent will tarnish your reputation.
Read more on GDPR fines here.
Here are some of the checklists related to consent by the Information Commissioner’s Office (ICO) in the EU.
Please note that consent is not the only requirement laid out by the GDPR. It takes more to be compliant with the law. You must assess the nature of your processing method and see under which lawful basis it comes.
Disclaimer: This article should NOT be treated as legal advice. The purpose of this article is to provide general information only. For any legal advice, please contact a lawyer.