Home

GDPR: Consent as Lawful Grounds for Processing Personal Data

|
|  Updated:  
2021-12-16 19:30:14
|   From The Book:  
Cybersecurity All-in-One For Dummies
Explore Book
Buy On Amazon
To process personal data, you need to have lawful grounds for processing, as provided for in the General Data Protection Regulation (GDPR). Consent is likely to be the appropriate ground where you want to offer a real choice to people — for example, whether they want to receive your marketing emails.

Many people think that GDPR is all about consent, but that isn’t true; consent is just one of six potential lawful grounds for processing personal data.

Carefully consider consent as lawful grounds for processing:
  • Consent can always be withdrawn, so if you need the data for the stated purposes, it’s always wise to rely on another lawful grounds for processing where possible.

Or in other words, if the data subject withdraws their consent and you would try to continue processing the data under a different lawful ground, consent isn’t the appropriate grounds for processing.

  • If the relationship has a power imbalance (such as during employment or during processing by a public authority), proving that consent is freely given (one of the elements of a valid consent) is difficult.
  • Consent provides data subjects with stronger rights in relation to their data than other grounds for processing; the right to erasure and the right to data portability, for example.
A valid consent has various elements. Consent must be
  • Freely given
  • Specific
  • Informed
  • An unambiguous indication of wishes

Freely given consent

Freely given means that the data subject is free to choose whether to give consent, without any detriment, and has genuine choice and control over what personal data they provide.

Incentivizing consent is possible. If you offer money-off/discount vouchers for subscribing to an email marketing list, for example, this would still be valid consent. If, however, the data subject suffers a detriment or is unfairly penalized as a result of not providing consent, the consents that were obtained aren’t valid. An example of a detriment is charging higher prices for a service if the data subject refuses to consent to their data being shared with third parties.

If consents are bundled so that a data subject can only consent to all of the processing, this consent isn’t valid because the consent hasn’t been freely given. Perhaps, the data subject wanted to sign up for one type of processing but was forced to sign up for another as well, because the consents were bundled. The consent needs to be granular, as shown in the following figure.

GDPR consent requirement An example of granular consent for different types of processing and purposes
© The Guardian

You need to offer separate consents for one of these:

  • Different types of processing: For example, to be contacted by email, phone, or postal mail
  • Different purposes: For example, sending email marketing and sharing details with third parties
Note that the preferences form in the figure requires opt-in consent for SMS (text) updates but opt-out consent for communications by postal mail or telephone. This is because the e-Privacy Directive (as implemented in the United Kingdom as the Privacy and Electronic Communications Regulations, known as PECR) requires consent for text marketing (amongst other electronic marketing) but not for postal or telephone marketing. Therefore, this organization is relying on consent (which must be the opt-in type to be valid under the GDPR) for text marketing and on the legitimate interests grounds for processing to send postal and telephone marketing; this is compliant with the GDPR.

If you rely on the legitimate interests grounds for processing, you must provide the ability for data subjects to opt out at any time — and that’s what The Guardian web page is doing.

The e-Privacy Directive (as implemented into European Union member states through their national legislation) requires consent for certain electronic direct marketing communications. If the relevant national legislation (such as the PECR in the UK) requires consent, then the GDPR will also require consent for such processing.

If consent to a processing of personal data is a condition of service and the service provider will not provide the service without the consent to the processing being given, then the consent isn’t freely given. However, if the data is required in order to fulfil the service (for example, passing a customer’s name and address to a delivery company), then the appropriate lawful grounds for processing would be contractual necessity, and consent wouldn’t be required.

It’s difficult for employers to show that consent by employees has been freely given, because of the imbalance of power in the working relationship. As such, employers should look at other grounds of lawful processing for key employee data and rely on consent only for processing of such personal data as responses to surveys, competitions, or similar matters. In addition, consent can always be withdrawn, so if you need to retain certain key employee data, relying on consent as lawful grounds for processing is unwise.

Specific consent

The consent must be given for a specific purpose, such as for sending marketing emails. In accordance with the transparency principle, you must clarify what the personal data is being used for, and you must be as specific as possible. If you’re processing personal data for multiple purposes, you must obtain consent for each purpose.

Specificity is often problematic because you may not know what you want to use the data for at a later date after you have collected it. The GDPR provides for processing for compatible purposes. If your lawful grounds for processing is consent, however, then even if the new purpose is compatible, in order to comply with the principles of fairness and lawfulness, you need to obtain fresh consent for the new purpose.

One exception to this rule relates to processing for scientific research purposes. The GDPR states that, where it is not possible to fully identify the purpose of data processing for scientific research purposes, data subjects can legally give their consent to certain areas of scientific research consistent with recognized ethical standards for scientific research.

The specified purpose must be set out in your privacy notice as well as in any processing records you may be obliged to keep under Article 30 of the GDPR.

You should regularly review your processing in consideration of your stated purpose and, if you notice any “purpose creep,” obtain fresh consent if the new purposes are not compatible with the original purposes. Note that the consent needs to be obtained before the commencement of the processing for the new purpose.

Informed consent

You must provide the data subject with all necessary information about the processing at the point that the person provides consent. The place for this information is in your privacy notice. This must be in a form and in a language that’s easy to understand. Language that’s likely to confuse (such as double negatives and inconsistent terminology) will invalidate consents.

Recital 32 of the GDPR makes clear that if a consent is to be given by electronic means, such as ticking a box on an online form, the request for consent must be clear, concise, and not unnecessarily disruptive to the user experience. Suppose that a lengthy and confusing privacy notice pops up and blocks content until the user of the website clicks to make it disappear. Having to click the notice is disruptive to the user experience and falls afoul of this provision.

A better strategy here is to use a layered privacy notice like the one shown in the following figure.

Privacy Notice Here’s how British Airways presents its privacy notice.

Where possible, you should combine this type of notice with a just-in-time notice — a note on a web page that appears at the point where the data subject inputs personal data, as shown in the following figure. (Note how a just-in-time notice provides a brief message about how the submitted information will be used and a link to the longer privacy policy.) Some level of disruption may be necessary to obtain the consent, but you can minimize it as much as possible.

just-in-time notice An example of a just-in-time notice from the UK's Direct Marketing Association (DMA)

For the data subject to be informed, the person must know at least the identity of the data controller and the purposes of the processing. If you’re sharing the data with any third parties who are relying on that consent, the identities of those third parties must also be named.

You don't need to name all third parties to whom you disclose the data, because many are relying on other lawful grounds for processing to process the data (contractual necessity, for example). If you’re sharing data with a third party for the purposes of them marketing to the data subject, consent is the likely grounds for processing. In this case, the third party should be named in the consent from the original data controller, as it should be in any other cases where the third party will be relying on that consent in order to process the data.

You should ensure that the consent is separate from other terms and conditions so that it isn’t buried in lots of legalese.

Unambiguous indication of wishes

In order for consent to be valid, there must be no doubt about the data subject’s wishes. If there is any uncertainty about whether the data subject has consented, the presumption is that they have not consented.

Recital 32 to the GDPR states that a clear, affirmative act may include a written statement, including by electronic means or an oral statement. This might include having the user tick a box when visiting a website, choosing technical settings for online services, or by acting in a way that clearly indicates acceptance of the processing (for example, asking individuals to drop their business cards in a bowl if they want to receive your newsletter).

In this context, a clear, affirmative act means that someone has taken deliberate and specific action to consent to the processing. Hence, pre-ticked boxes and opt-out actions aren’t ways of obtaining valid consent, because the data subject hasn’t had to take affirmative action. Therefore, this isn’t an unambiguous indication of the person’s wishes. They simply may not have seen the check box or the opportunity to opt out.

Similarly, silence doesn’t constitute an effective consent. For example, if you ask someone by phone to say something specific in order to opt out of the processing of their data, the data subject’s silence isn’t a valid consent, because the person may not even be listening. To actively confirm consent over the telephone or in person, the data subject must speak certain words, such as “Yes, I consent.” Keeping records of this oral consent is vital.

An element of implied consent can come with a positive act that makes it clear the data subject is consenting to the processing. For example, if you ask attendees of an event to drop their business cards into a bowl for a chance at winning a prize, that would imply consent for them to be entered into that prize drawing. However, the data can’t be used for marketing to those individuals without their further consent.

Consent obtained by way of duress or coercion doesn’t constitute valid consent.

Obtain fresh consent

The GDPR has introduced a higher standard of consent than what existed under the previous regulations. If your existing consents don’t meet the new GDPR standard (you previously relied on pre-ticked boxes to indicate consent or you don’t have satisfactory records of your consents, for example), you must update those consents to meet the higher standard to be valid.

Be wary of attempting to obtain fresh consent to marketing communications by emailing data subjects on your mailing list. To do so would be processing the data without valid lawful grounds for processing. Also, consent is generally required for email and text marketing communications under the e-Privacy Directive.

You can have on your website a sign-up box to obtain fresh consent for email marketing communications (and use various advertising methods to direct people to it), but, obviously, it takes some time to obtain consents in this way, and people who have consented previously may invariably be “lost.”

The e-Privacy Directive and consent

Consent is required for communications covered by the e-Privacy Directive, such as for email and text marketing to individuals. Currently, the e-Privacy Directive (as implemented in EU member states national legislation) applies only to organizations that provide electronic communications services within that member state, but this is soon to be extended to have a similar global reach as the GDPR. Be mindful of these regulations when deciding your lawful grounds for processing. If you need to obtain consent under the e-Privacy Directive, this needs to be to the same standard of consent as the GDPR.

Withdraw consent

If you rely on consent as your lawful grounds for processing, you need to inform data subjects of their right to withdraw consent. The place to do this is in your privacy notice.

You also need to offer data subjects easy and free ways to withdraw consent. You may want to consider using a preference management tool to do so, as shown here. You might also include an online form to withdraw consent at the bottom of each page of your website.

preference management tool A preference management tool from British Airways provides a way for data subjects to unsubscribe or opt out.

The GDPR states that data subjects must be able to withdraw consent at any time. Arguably, merely having an unsubscribe option at the bottom of emails would not suffice, as an email is not available to a data subject at all times; they may have received one and deleted it and, therefore, have no link to unsubscribe when they want to do so.

Keep the following points in mind as you consider how to enable data subjects to withdraw consent:
  • Withdrawing consent must be as easy as providing it. If a data subject provided consent by ticking a box on an online form, specifying in your privacy notice that they have to call a telephone number or even write to an email address to withdraw consent isn’t compliant. If, however, consent was obtained over the telephone, it is compliant to provide a telephone number for the data subject to call to withdraw their consent.
  • A data subject must not suffer any detriment by withdrawing their consent. If the data subject suffers, the consent is invalid.
  • When consent is withdrawn, you must stop processing the data immediately. Where this isn’t possible, it must be stopped as soon as possible.
  • If a data subject withdraws consent, you don’t necessarily need to delete all of their data. For example, if a data subject opts out of email marketing (effectively withdrawing consent to you for processing their data to send email marketing), you can properly keep this data on a suppression list (so that you have a record of the data subject’s opting out).

Similarly, if you need to retain data for legal or auditing purposes, you can do so, but at the point of obtaining the consent you must be upfront with the data subject about your intentions to continue to process the data for certain purposes. The place to do this is, of course, in your privacy notice.

  • A third party can withdraw consent on behalf of a data subject. You must, however, satisfy yourself that the third party has the authority to do so. This may cause difficulties where data subjects use automated software tools for unsubscribing.
  • No set time limit dictates how long consents are valid. However, you need to monitor consents and refresh them where necessary depending on the context, including data subjects’ expectations and how often you email them. For example, if you haven’t emailed people for a long time, you may need to obtain fresh consents. If in doubt, the UK’s supervisory authority, the ICO, recommends refreshing consents every two years. You should also consider contacting data subjects regularly (every six months, for example), to remind them of their right to withdraw consent.

Document consent

You must be able to prove that consent has been provided and you must keep records of consents. If complaints are lodged or investigations begin down the line, you’ll need to produce this evidence. You should keep records of the following consent-related information:
  • Who consented, such as name or another online identifier (username, for example)
  • The date on which the consent was given
  • Details that were provided at the time about the processing and the purposes
  • How someone consented (for example, in writing or by submitting data into an online sign-up form for newsletter subscription)
  • Whether the person has withdrawn consent and, if so, on what date

You can accomplish documenting the details of the processing and the purposes that were provided at the time of the processing by referring to your privacy notice that was in force at the time. Keep notes of how privacy notices are amended over time so that you know which version was shown to each data subject. This can be as low tech as keeping a hard copy file of privacy notices and writing the dates on the top from when and to they were effective.

Children’s consent for online services

If a child is signing up to use online services (other than preventive or counseling services), such as online games or education platforms, and the lawful grounds you rely on to process their data is consent, then consent must be obtained from a parent or guardian if the child is under a certain age. This list includes matters that you need to consider when obtaining consent for children’s use of online services:
  • The relevant age of consent for children differs from country to country. In the UK, it’s 13. The map shown in the following figure shows the relevant age for other countries.
  • You might need to take age verification measures: For example, if you choose to rely on the child’s consent because they state that they’re older than the relevant age, you need to verify their age.

For example, if you choose to rely on the child’s consent because they state that they are older than the age required for parental consent, you may need to take additional measures to verify their age — don’t just take their word for it.

  • You might need to confirm a parent’s responsibility: If a parent’s consent is provided, you need to make reasonable efforts to verify the parent’s responsibility for the child.
  • Parental consent doesn’t automatically expire when the child reaches the age of consent: You may need to refresh this consent more regularly.
EU ages for online consent Ages of consent for children in individual EU member states

Third-party consent

A third party may be able to provide consent on behalf of another person, but you need to ensure that they’re duly authorized to do so. If a third party is providing consent, the data subject still needs to be fully informed about the processing and the purposes by way of a privacy notice.

In practice, a third party providing consent for the processing of personal data of adults is likely only in circumstances where the third party has power of attorney for the data subject and can act on their behalf.

You can assume that adults have the capacity to consent, unless you have any reason to believe otherwise.

About This Article

This article is from the book: 

About the book author:

Suzanne Dibble is a business lawyer who has advised huge multi-national corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com