The European Data Protection Board (EDPB) published guidelines on consent under regulation, including a complete analysis of the notion of GDPR consent.
The EDPB published guidelines on consent under regulation on May 4th 2020, which includes a complete analysis of GDPR consent. In their 31 page document released earlier this week, the EDPB outlines the requirements for obtaining and demonstrating valid consent. Consent is one of six lawful bases to process personal data, as outlined in Article 6 of the GDPR. Data controllers must consider what would be the appropriate lawful ground for the intended processing of personal data, before initiating any activities which would involve processing such data.
Elements of valid GDPR consent
Article 4(11) of the GDPR specifies that consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The use of the term free implies that the data subject has a real choice in the matter. As a general rule, the GDPR states that if the data subject has no real choice, feels compelled to consent or feels they will endure negative consequences in the absence of their consent, then consent will not be valid. Any element of inappropriate pressure or influence upon the data subject which prevents a data subject from exercising their free will, shall render the consent invalid.
In order for consent to be valid, it must also be specific, meaning that consent must be given in relation to “one or more specific” purposes and that a data subject has a choice in each of them. . The requirement that consent must be ‘specific’ aims to guarantee a degree of user control and transparency for the data subject. According to Article 6(1)(a) of the GDPR, data subjects must always give consent for a specific, explicit and legitimate processing purpose.
The GDPR also maintains the requirement that consent must be informed. According to Article 5 of the GDPR, transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. It is imperative that data subjects are provided with sufficient information prior to obtaining their consent. In the absence of sufficient information, the consent will be invalid and the controller may be in breach of Article 6 of the GDPR.
The EDPB believes that at least the following information is required for obtaining valid consent:
- the controller’s identity,
- the purpose of each of the processing operations for which consent is sought,
iii. what (type of) data will be collected and used,
- the existence of the right to withdraw consent,
- information about the use of the data for automated decision-making in accordance with
Article 22 (2)(c) where relevant, and
- on the possible risks of data transfers due to absence of an adequacy decision and of
appropriate safeguards as described in Article 46.
In addition to the aforementioned criteria, consent must always be given through an active motion or declaration. It should be clear that the data subject is consenting to the particular processing. Article 4(11) GDPR clarifies that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action. Clear affirmative action implies that the data subject must have taken a deliberate action to consent to the particular processing.
Obtaining explicit GDPR consent
In situations where serious data protection risk presents itself, it is imperative that explicit consent is obtained in order to process personal data. According to Article 9 of the GDPR, explicit content is needed for the processing of special categories of data. The term explicit refers to the manner in which consent is expressed by the data subject. It means that the data subject has to give an express statement of consent, in order for consent to be deemed valid. This can take the form of a signed statement, an electronic form, an email, or a scanned document carrying the signature of the data subject, or an electronic signature. In theory, oral
statements can also sufficiently express valid explicit consent, however, it may be difficult
to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.
Additional conditions for obtaining valid GDPR consent
According to Article 7 of the GDPR, it is the sole responsibility of the controller to demonstrate a data subject’s consent. Recital 42 states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.” controllers may keep records of consent statements received or choose freely the method through which they comply with this provision. The obligation to demonstrate consent last for as long as the data processing activity is being carried out. While there is no specific time limit in the GDPR for how long consent will last, the EDPB recommends, as a best practice, that consent should be refreshed at appropriate intervals.
As far as withdrawal of consent, the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easily as it was given, and at any given time. The GDPR does not specify that the giving and withdrawing of consent must be done in the same manner, however, when consent is given electronically, via a simple mouse click, swipe or keystroke, the data subject should be able to withdraw that consent just as easily. This requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. Controllers also have an obligation to delete data that was processed on the basis of consent once this consent is withdrawn, provided that there is no other purpose justifying the continued retention.
The guidelines provide some examples for when consent is not valid and when it is. We have put together those ones we consider most relevant below:
Own- and third-party marketing unlawfully bundled :
“Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid. In this case, a specific consent should be collected to send the contact details to commercial partners. Such specific consent will be deemed valid for each partner …, whose identity has been provided to the data subject at the time of the collection of his or her consent, insofar as it is sent to them for the same purpose (in this example: a marketing purpose).”
Service provision and marketing unlawfully bundled:
“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.”
“Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it”.
Access to mobile phone features unlawfully bundled with the product:
“When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).”
However, if only benefits linked to the consent are lost if consent is refused, it is ok:
“A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the
offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.”
Furthermore, there is no detriment if an alternative channel to access the product is provided:
“A fashion magazine offers readers access to buy new make-up products before the official launch. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.”
A suitable policy should be put in place with regard to children’s consent:
“An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent; Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian; Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility; Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber; If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps”.