The GDPR has introduced more stringent rules around consent, meaning organisations will need to reconsider how they go about obtaining consent, or perhaps, whether they might be better looking to one of the other five grounds open to them.
Under the GDPR, consent must be freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)), otherwise it will be invalid.
“Freely given” – this means that the data subject must have a genuinely free choice about consenting. If they are unable to access a product or service, or are disadvantaged by withdrawing or refusing their consent, then there is a presumption that the consent was not freely given. Consent is also not considered to be freely given if there is a power imbalance between data controller and data subject – eg the relationship between an employer and an employee.
“Specific and informed” – this means the individual has to be given sufficient information about the identity of the controller and the purposes of the processing. Consent has to be specific to each processing activity. Where different activities are taking place, consent must be given to each separately.
A request for consent must be “clearly distinguishable” from other matters in a written document where other matters are covered, eg in terms and conditions of service. It must also be clearly presented in plain language.
One of the most important changes to be aware of is that under the GDPR, consent can only be given by an affirmative action. This will mean, for example, that the use of opt-out or pre-ticked opt-in boxes is no longer acceptable.
Consent also needs to be verifiable – data controllers must now maintain records so that the consent can be verified.
Withdrawal of Consent
This is another new concept. Article 7(3) gives data subjects the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it. Not only that, but controllers must inform data subjects of their right to withdraw before the consent is given. If consent is withdrawn, data subjects have the right to have their personal data erased and the data can no longer be used for processing.
Age of consent
There are also new protections for children – the GDPR limits the ability of children to consent to processing unless parental authority is given. The age of consent is set at 16 but Member States can set a lower age subject to a minimum of 13. The UK has said it intends to set 13 as the age of consent and this is set out in the Data Protection Bill.
Given the more stringent rules around consent, it remains to be seen whether it continues to be the legal basis of choice for those processing data. The most important thing to consider when processing data remains whether at least one legal basis for the processing has been identified.