Need some clarity around #GDPR consent?

DP Directive definition:

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” 

GDPR definition:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Can we carry on using existing DPA consents?

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.

Recital 171 https://gdpr-info.eu/recitals/no-171/ of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you will need to be confident that your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.

On the other hand, if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

This consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.

Checklist

Asking for consent

? We have checked that consent is the most appropriate lawful basis for processing.

? We have made the request for consent prominent and separate from our terms and conditions.

? We ask people to positively opt in.

? We don’t use pre-ticked boxes, or any other type of consent by default.

? We use clear, plain language that is easy to understand.

? We specify why we want the data and what we’re going to do with it.

? We give granular options to consent to independent processing operations.

? We have named our organisation and any third parties.

? We tell individuals they can withdraw their consent.

? We ensure that the individual can refuse to consent without detriment.

? We don’t make consent a precondition of a service.

? If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.

Recording consent

? We keep a record of when and how we got consent from the individual.

? We keep a record of exactly what they were told at the time.

Managing consent

? We regularly review consents to check that the relationship, the processing and the purposes have not changed.

? We have processes in place to refresh consent at appropriate intervals, including any parental consents.

? We consider using privacy dashboards or other preference-management tools as a matter of good practice.

? We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

? We act on withdrawals of consent as soon as we can.

? We don’t penalise individuals who wish to withdraw consent

Do you always need consent?

In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.

You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives. 

Similarly, explicit consent is one way to legitimise processing special category personal data, but not the only way. Article 9(2) https://gdpr-info.eu/art-9-gdpr/ lists nine other conditions and there is some scope for UK legislation to add more. The alternative conditions for processing special category data are generally more restrictive and tailored to specific situations, but it’s worth checking first whether any of them apply.

Other forms of consent

A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.

Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.

Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.

A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.

Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.

What is valid consent?

In brief…

? Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.

? Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

? Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

? Consent should be obvious and require a positive action to opt in.

? Explicit consent must be expressly confirmed in words, rather than by any other positive action.

? There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language.

If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.

Recital 32 https://gdpr-info.eu/recitals/no-32/ also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

You will need to keep your consents under review and refresh them if your purposes or activities evolve beyond what you originally specified. Consent will not be specific enough if details change – there is no such thing as ‘evolving’ consent.

What are the rules on capacity to consent?

The GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent.

Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed.

It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent.

When is consent invalid?

In summary, you will not have valid consent if:

? you have any doubts over whether someone has consented

? the individual doesn’t realise they have consented

? you don’t have clear records to demonstrate they consented

? there was no genuine free choice over whether to opt in

? the individual would be penalised for refusing consent

? there is a clear imbalance of power between you and the individual

? consent was a precondition of a service, but the processing is not necessary for that service

? the consent was bundled up with other terms and conditions

? the consent request was vague or unclear

? you use pre-ticked opt-in boxes or other methods of default consent

? your organisation was not specifically named

? you did not tell people about their right to withdraw consent

? people cannot easily withdraw consent, or

? your purposes or activities have evolved.

How should you obtain, record and manage consent?

In brief…

? Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand.

? Include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time.

? You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default settings.

? Wherever possible, give granular options to consent separately to different purposes and different types of processing.

? Keep records to evidence consent – who consented, when, how, and what they were told.

? Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.

? Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.

What information should you include?

Consent must be specific and informed. You must as a minimum include:

? the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough;

? why you want the data (the purposes of the processing);

? what you will do with the data (the processing activities); and

? that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of parties, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.

If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.

You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide a clear and comprehensive privacy notice but there is more scope for a layered approach.

You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.

If you would like support, advice or help with your GDPR preperations and delivery then please do get in touch. I trust the above helps.