The GDPR has added some additional requirements to the ‘consent’ processing condition both in terms of the wording of the consent and the way in which it is obtained. Under the DPA a data subject needed to give their consent to the processing but under the GDPR that consent needs to be given for one or more specific purposes. The consent must also be freely given, informed and unambiguous. The ICO’s guidance states that “there must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity”. More detail is given below in relation to each of these consent elements. Note however that consent is not the only basis for using personal data. See the “Lawful basis for data capture/processing” for more information.
Data subjects should be given a free choice as to whether or not to consent to their personal data being processed and should not suffer any detriment as a result of refusing or withdrawing their consent. Under the GDPR is it not possible for consent to be relied upon if the performance of a contract or the provision of a service is conditional upon the data subject giving consent for the processing of their personal data which is not necessary for the performance of the relevant contract / service. For example, if you offer customers the ability to sign up for a free newsletter or wi-fi service, you cannot make the receipt of that newsletter or wi-fi conditional upon the data subject consenting to receive other marketing.
Specific / informed / granular
The GDPR makes it clear that consent will not be deemed to be specific or informed if the data subject is not made aware of the identity of the data controller and the purposes for which their personal data is going to be processed. It is not sufficient to provide a long ‘catch-all’ list of potential purposes for which the data might be used. Instead, the consent should be granular and only cover the actual purposes for which the data will be used and the data subject should have the ability to consent to only some of those purposes rather than being forced to agree to all or none of the purposes. Whilst this sounds straight forward, it could be difficult for businesses which use personal data for multiple different purposes to give individuals the ability to consent to each purpose separately whilst ensuring that the wording of the consent is clear, unambiguous and easy to understand.
Clear / unambiguous
The GDPR makes it clear that a data subject’s indication of consent must be unambiguous and involve a clear affirmative action. The ICO’s draft guidance on consent states “It must be obvious that the individual has consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent”.
Note that in addition to being clear and unambiguous, special data also requires consent to be ‘explicit’ which means it must be expressly confirmed in words (whether written or oral).
The GDPR states that the consent wording must be clearly distinguishable from other terms and conditions and must be presented in an easily accessible format. This means that the consent wording must be set out separately and not bundled in with other contract terms.
It is clear from the GDPR that, in order to be unambiguous, inactivity cannot be deemed to constitute consent. For example, it will not be sufficient for a website to include a note which states that by continuing to use the website an individual well be deemed to have given consent to their personal data being processed. Pre-ticked boxes are also not sufficient. Instead, the data subject must opt-in to give their consent. The ICO’s draft guidance on consent states “Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default”.
As with the DPA, the GDPR makes it clear that data subjects have the right to withdraw their consent to their personal data being processed. The data subjects must be made aware of this right before their personal data is collected and it must be “as easy to withdraw as to give consent”.
It is important to have mechanisms in place for dealing with the removal of personal data because if a data subject withdraws consent, you will need to cease processing their data as soon as possible unless you have another lawful basis for processing that data.
How long does consent last?
The GDPR does not give a specific duration for consent as this will depend on the context in which the consent was given, the purposes for which the consent was given and the likely expectations of the data subject. However, in most circumstances consent will degrade over time so it is important to keep consents under review and where appropriate to periodically obtain fresh consents.
Consent given by children
Click here for more information on the issues relating to obtaining consent to use personal data relating to children.
Relying on consent given under the DPA
If you are currently processing personal data which was obtained under the DPA, you will need to review the basis on which that personal data is being processed and, if you are relying on the consent processing condition, you will need to consider whether the consent which you obtained complies with the requirements under the GDPR, i.e. was the consent:
- freely given
- specific / informed
- granular / clear / unambiguous
- easily withdrawn
If the consent does not satisfy these criteria you will need to seek fresh consent from the data subjects or see if you can rely on one of the other processing conditions. If you cannot obtain fresh consent or rely on another processing condition, you will need to delete the personal data.