Under the European general data protection regulation (GDPR), it is sometimes necessary to obtain individual’s consent before processing their personal data. The GDPR being more restrictive and explicit as to the way consent should be obtained (and withdrawn), it may have huge impact on daily companies business activities, in particular, online businesses.
Definition of consent. Under the GDPR, consent is any freely given, specific, informed and unambiguous indication of the individual’s wishes. This indication may be either a statement or a clear affirmative action.
In addition to the existing conditions already provided under the former legislation, consent must now be “unambiguous”. This new condition may invalidate any implied consent and may also blur the lines between consent and explicit consent (that may be required for collecting special categories of data).
Format of the consent terms. When consent is the legal basis of the data processing, the consent terms must be drafted in clear and plain language and be presented in a manner clearly distinguishable from other matters especially where such consent terms are part of wider terms and conditions.
The scope of consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. However, the GDPR also provides that separate consent should be obtained for different processing operations (see recital 43). It is not clear what the difference is between a data processing purpose and operation but the European Data Protection Board has stated in its guideline on consent (December 2017) that separate consent should be obtained for each purpose respectively.
Ways to obtain consent from the individuals. Consent should be given by a clear affirmative action such as by a written statement, including by electronic means, or an oral statement. This could be materialized by a tick box, technical settings for information society services or another statement or conduct which clearly indicates in this context the individual’s acceptance of the proposed processing. Silence, pre-ticked boxes or inactivity should not be valid consent.
Services conditional on consent. The provision of services should not be conditional on consent to additional processing operations that are not necessary for the provision thereof (e.g. direct marketing via e-mail), as such consent would not be considered as freely given and therefore, invalid. Indeed, the individual would have no choice but to accept the additional processing to get the requested services. As a consequence, consent to additional processing operations not necessary to the provision of the services should be obtained separatly.
Right to withdraw consent at anytime. The controller must give the opportunity to withdraw the consent at any time and the withdrawal must be as easy as the way to give consent.
Children and teenager’s consent. When the individual providing his/her personal data is under 16, parents or any person having a legal authority must give their approval for the consent to be deemed valid. However, depending on the Member State, the threshold may be lowered to 13 years old.
Proof of consent. Controllers should be able to demonstrate they have obtained the individual’s consent
Potential fine. Not obtaining the consent of the individual might be subject to a fine of up to 20 millions euros or 4% of the global annual turnover whichever is higher. Not obtaining parents consent is subject to a fine of 10 million euros or 2% of the annual global turnover whichever is higher.