The General Data Protection Regulation (GDPR) stipulates that the consent of the data subject, i.e. the person whose data is processed, must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Generally, consent can only be an appropriate lawful basis if a person is offered control over their data and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. The controller has the duty to ensure that both the process of obtaining consent, as well as data processing based on consent is in accordance with the GDPR.
Consent in IT solutions
Consent must be freely given. According to the European Data Protection Board if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. The element “free” implies real choice and control for data subjects. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.
For instance, a mobile app for photo editing cannot ask its users to have their GPS localization activated for behavioral advertising purposes. Neither geolocalisation or online behavioral advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given.
Consent cannot be considered to be freely given also when the access to services and functionalities is made conditional on the consent of a user to the processing of data. For example, if there is no possibility to access the website without clicking on the “Accept cookies” button (so-called cookie walls).
Consent must be an informed, deliberate action by the user to consent to the particular processing. For example, a person may be asked for written or recorded explicit consent, although this may not always be realistic, especially in the case of technological solutions.
It has been pointed out that ticking a box is a sufficiently distinctive and active motion to constitute valid consent. Physical motions, such as swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure-eight motion may be options to indicate agreement, as long as the user understands clearly that the motion in question signifies agreement to a specific request.
On the other hand, it is important to emphasize that consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of service. The two must be clearly distinguishable from each other. Similarly, scrolling to the bottom of the Privacy Policy or any other similar activity cannot be considered as explicit consent.
How should a user be informed?
To make informed consent, the user must be provided with information on who has access to their data, each data processing and its purpose, which information is collected and used, ways to withdraw consent and whether or not automated processing, including profiling, is used.
The consent form should be as specific and easily understandable as possible. Controllers cannot use long documents that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form.
Obtaining valid consent is always preceded by the determination of a specific, explicit, and legitimate purpose for the intended processing activity. The controller must avoid a situation where the purpose is vaguely worded in such a way that the purpose for which the data subject has consented initially becomes gradually wider or blurrier (also known as function creep).
When giving consent, the user must understand how, and for which purpose their data is used. For example, if a person consents to a media service provider recommending new programs based on their viewing habits, the service provider is not allowed to use the same data for other marketing purposes.
Processing special categories of data
Additional conditions are imposed on more sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The controller must have the explicit consent of the user in order to process this data, in particular, written and preferably signed consent in order to remove all possible doubt and potential lack of evidence in the future.
Nevertheless, here too it is possible to obtain consent by ticking a box, which expresses explicit consent of the user and not just simply being aware of the processing of personal data. Other means to obtain explicit consent, which is particularly relevant for technological solutions, include digital signing, Smart-ID, document scanning, etc.
In any case, it is the responsibility of the data controller to ensure that the data is used only to the extent that consent has been given, and even in this case it must be established that the other requirements of the GDPR are complied with. It is up to the controller to prove throughout the use and processing of the data that valid consent was obtained from the data subject.
Withdrawal of consent
The data controller must also ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time. This does not mean that giving and withdrawing consent must always be done through the same action, but it cannot be more difficult.
For example, if a user has given their consent to a service provider for direct marketing purposes by ticking a box on the website, they cannot be required to call the service provider’s office during business hours to withdraw their consent.
This would be unreasonably burdensome compared to how consent was initially given. It is questionable whether in the same situation requiring a person to send a separate e-mail to the service provider’s representative could be considered unreasonably burdensome – a practice quite common today. It is also the responsibility of the data controller to ensure that the data subject is aware of his or her right of withdrawal and the procedure.
The user must be free to decide
Thus, when obtaining consent, it is important to establish that the conditions and purposes for the processing of the data, as well as the procedure for withdrawal of the consent, are clearly stated and understood. When giving consent, the person must be in a position of control and free to decide on the use of his or her data without detriment.
It is the responsibility of the data controller to establish that obtaining consent is not only a formality but that the consent is in line with the requirements of the GDPR, as well as being verifiable and distinguishable from other user activities. The data processing must also correspond to what the person has consented to.