The new data protection regulation (GDPR) has brought clarifications as to the way consent should be obtained (and even withdrawn), by providing new definition and guidance.
Definition. As per the GDPR, consent is any freely given, specific, informed and unambiguous indication of the individual’s wishes. This indication may be either a statement or a clear affirmative action.
The main difference between the new regulation and the current directive is the word “unambiguous”. However, further guidance has been provided.
The scope of consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. (update January 18) However, the GDPR also provides that separate consent should be obtained for different processing operations (see recital 43). It is not clear what the difference is between a data processing purpose and operation but the WP29 has stated in his guideline on consent (december 2017) that consent should be obtained for each purpose.
Way to obtain consent from the individuals. Consent should be given by a clear affirmative act such as by a written statement, including by electronic means, or an oral statement. This could be materialized by a tick box, technical settings for information society services or another statement or conduct which clearly indicates in this context the individual’s acceptance of the proposed processing. Silence, pre-ticked boxes or inactivity should not be valid consent.
Services conditional on consent. Where provision of services is conditional on obtaining individual’s consent for processing not necessary for the provision of the services (e.g. direct marketing via e-mail), the consent might not be considered as freely given as the individual would have no choice but to accept the additional processing if he wanted the service to be provided. Therefore one consent for both terms and conditions and data processing should not be valid. However and even though “utter importance” will be given to such statement when assessing the validity of a consent, it is not expressly prohibited so maybe there will be room for some kind of conditional services.
Right to withdraw consent at anytime. The controller must give the opportunity to withdraw the consent at any time and the withdrawal must be as easy as the way to give consent.
Children and teenager’s consent. When the individual providing his/her personal data is under 16, parents or any person having a legal authority must give their approval for the consent to be deemed valid. However depending on the Member State, the threshold may be lowered to 13 years old.
Proof of consent. Controllers should be able to demonstrate they have obtained the individual’s consent
Potential fine. Not obtaining the consent of individual might be subject to a fine of up to 20 millions euros or 4% of the global annual turnover which ever is higher. Not obtaining parents consent is subject to a fine of 10 million euros or 2% of the annual global turnover whichever is higher.
This post is also available in fr_FR.