Consent to personal data processing under the GDPR: what it is, why you need it and how to obtain it
Informing users and obtaining their consent is not something new in data protection regulation. We all have ticked a box to agree to a privacy policy or newsletter subscription. The General Data Protection Regulation (GDPR), however, introduced specific requirements for consent to be a valid basis for processing personal data.
Consent is just one of the legal bases outlined in the GDPR, so if you wish to rely on consent as your legal basis for processing personal data, you need to review your data processing activities and assess which ones will actually be based on consent. As consent is not the only legal basis for processing personal data, it is crucial to assess whether it is the appropriate ground.
For instance, if you are going to process personal data for the performance of a contract, you are not required to obtain the data subject’s consent. Similarly, if you anticipate that personal data will be processed even though the data subject refused or withdrew her consent, it will be appropriate to find another basis for such processing, as the consent will no longer be valid.
What are the requirements for valid consent?
If you decide to rely on consent for any of your data processing, you need to ensure that such consent is:
- Freely given. A data subject must have a genuine choice as to whether to give consent. If the individual has no real choice, consent is not freely given and will likely be invalid. Therefore, there must not be a context of power imbalance (e.g. employment context), nor should consent be a precondition for accessing your service. Finally, remember that you need to be specific about the situation/purpose in question.
- Adequate information. You need to provide adequate information about envisaged data processing so that the data subject can choose.
- Unambiguous indication of wishes. Data subjects must make a statement or an explicit affirmative action, which means that the use of pre-ticked opt-in boxes is not allowed.
- Privacy by design. Lately, you should not influence a data subject’s choice by the design of your consent tool. For instance, you should not use colours or forms that may incentivise data subjects to push the “agree” button.
What do I keep records of the consent?
Once valid consent is obtained, you need to keep adequate records to demonstrate when and how you received that consent and what information was provided to the data subject. You should refresh consent in appropriate intervals, although there are no time limits for how long consent lasts.
How does withdrawal of consent work?
Data subjects have the right to withdraw their consent at any time. So first, you need to inform them about this right. Second, you need to establish a process for the withdrawal of consent to be as easy as that for obtaining consent. You can use a consent management tool, unsubscribe link or your interface to facilitate that process. Once withdrawn, you need to ensure that the data is deleted unless you have another ground for lawful data processing.
Is there any type of mandatory consent?
- Cookies. When dealing with cookies, you should remember that only cookies necessary for functionality are permitted by default. If you use other types of cookies, you need to receive affirmative consent from your users.
- Marketing. If you want to use email marketing, you must ensure that data subjects agree to such communications. It is highly recommendable to use double opt-in for this practice, which means that data subjects will be required to express their consent two times. You may implement this, for example, by sending a confirmation email to the email address provided by the user.
GDPR Consent Compliance Checklist
If you rely on consent as a legal basis for personal data processing, make sure that:
- Check that there is no other suitable ground for processing;
- Do not use pre-checked consent boxes;
- Do not force users to consent;
- Do not couple consent with other terms and conditions;
- Do not make your services conditional on consent;
- Request separate consent for different types of processing;
- Inform your users about your processing practices;
- Make it easy to withdraw consent;
- Obtain mandatory consent;
- Keep records properly.
Conclusion
As data protection is a major subject of concerns and non-compliance may cost a significant amount to your business, it is vital that you assess your data processing practices.
If you are unsure about your legal basis for data processing or whether your consent-related practices comply with the GDPR, feel free to book a free 20-minute consultation with our data protection lawyer.