On 12 December 2017, the Article 29 Working Party (WP29) published draft Guidelines on Consent under the General Data Protection Regulation (GDPR). The guidelines expand on the WP29’s ‘Opinion on the definition of consent’ (July 2011), addressing the concept of consent in the context of the enhanced regulatory regime under the GDPR.
The Guidelines apply a strict interpretation of the principles that underpin valid consent in the GDPR. In the UK, they may be read alongside the separate draft GDPR consent guidance issued by the UK Information Commissioner’s Office (ICO) in March 2017.
Elements of Valid Consent
The Guidelines begin with an overview of the elements of valid consent under Article 4(11), reiterating that consent must be (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguously indicated.
In order to freely give their consent, data subjects must have a real choice. The WP29 notes that there are situations where, a data subject will not have real choice because of an imbalance of power in their relationship with the controller (e.g., between an employer and employee, or citizen and public authority). This is reasonably well understood and means employers should, by default, avoid reliance on consent as a lawful basis for processing.
The Guidelines go further and consider in some detail the challenges of collecting consent where the controller is seeking to “bundle” consent with a condition of performance of a contract with the data subject. The presumption is that consent cannot be said to be freely given if interlinked with services where either a withholding, or withdrawal of consent would lead to a detrimental effect on the data subject (e.g., being denied a particular service requested by the customer because consent is refused or withdrawn). Whilst the WP29 appears to leave open the possibility that there may be circumstances where there is an absolute necessity to process personal data to perform a contract, there is clearly a strong presumption that linking consent to issues related to matters relating to provision of a service be open to challenge and that other legal basis should be relied on.
The WP29 emphasises the importance of ensuring consent is specific and that this will not be the case if the way in which consent is sought is not sufficiently granular: “If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom….When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.” The WP29 gives the example of a retailer using the same consent language to ask its customers for consent to use their data to send marketing emails and to share their details with other companies within their group. Where consent is sought to process data for two or more purposes it is important to separate these out and ask for different consent for each. Interestingly the WP29’s emphasis on granularity is stronger than the ICO’s, whose earlier guidance says that entities should “give granular options to consent separately to different types of processing wherever appropriate” and that they “need to give granular options to consent separately to separate purposes, unless this would be unduly disruptive or confusing.”. It will be important for controllers to bear these principles in mind when developing “tick boxes” and other consent mechanisms.
The WP29 restates the principle that consent will only be valid if fully informed. This means that relevant information must be provided in clear and plain language and be distinguishable from other matters (e.g., not hidden in general terms), with an expectation that the controller will spend time aligning messaging to appropriate stages in the customer journey. The information provided should include details of about: (i) the controller’s identity (including the identity of any third party controllers who intend to rely on the original consent), (ii) the purposes of each of the processing operations for which consent is sought, (iii) the types of data collected and used, (iv) the existence of the right to withdraw consent, (v) the use of data for decisions based solely on automated processing, and (vi) where consent relates to transfers, the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
Organisations relying on consent should carefully review current consent language to ensure the way in which consent language is presented and consent obtained meets these enhanced information standards, particularly addressing the individual’s right to withdraw consent.
Article 4(11) requires consent to be provided by means of an unambiguous statement or clear affirmative action from the data subject. The GDPR Recitals and ICO guidance both mention that unambiguous consent may be secured by, e.g., ticking a box. The WP29 provides further clarity on the range of possible mechanisms by which data subjects can take a clear affirmative action to include “[s]wiping on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion”. All may be valid as long as data subjects are clearly informed that the action signifies agreement to a specific request. Pre-ticked boxes are not valid.
The WP29 also discusses that, in an online context, consent could be obtained through a data subject’s Internet browser settings, which could mitigate the issue of “click fatigue”. Regardless of the consent mechanism, the controller must be able to demonstrate that consent was obtained, and data subjects must be able to withdraw consent as easily as it was given.
The Guidelines note the obligation in Article 7(1) that controllers be able to demonstrate that they have secured a data subject’s consent. The WP29 allows controllers to develop their own mechanisms for addressing this requirement, but suggests this could be achieved by “keep[ing] a record of consent statements received…when consent was obtained and the information provided to the data subject.” In an online context, such records could include “information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time.”
Refreshing and updating consent
The WP29 recommends that “consent be refreshed at appropriate intervals.” There is no further elaboration when a renewal of consent is required, but controller’s should not assume that once a consent has been obtained it can be relied on indefinitely, unless withdrawn.
Withdrawal of Consent
Article 7(3) requires controllers to ensure that consent can be withdrawn as easily it was given. The WP29 makes clear that any failure to comply with this requirement may invalidate the original consent. In explaining what “as easily” means, the WP29 notes that data subjects should not have to switch interfaces in order to withdraw consent (e.g., if a data subject consents through a website, s/he should not have to email the controller in order to withdraw consent). Further, if consent is withdrawn, controllers must cease processing the personal data for the purpose for which consent was obtained, and, if no other basis justifies processing (e.g., data retention), then the controller must delete or anonymise the personal data.
To address the issues raised by the Guidelines we recommend controllers adopt the following practical steps:
- confirm the lawful basis for each activity of processing personal data and consider using consent only as a lawful basis of ‘last resort’ – given the heightened consent requirements, consent may not be the most feasible legal basis for processing so consider whether other lawful basis can be relied on – noting also that once a lawful basis has been determined, controllers cannot ‘swap’ to another legal basis
- review the way in which consent is obtained – if consent is needed for multiple purposes, these will need explaining and addressing separately
- review the explanation provided in the consent language – the consent should be fully informed, so ensure all information is provided to data subjects to validate the consent and in a manner they can digest and understand
- implement mechanisms for properly capturing, recording and managing the withdrawal of consent – this is likely to require changes to both the customer relationship and underlying technical solutions used to manage customer preferences.