Under the European General Data Protection Regulation (GDPR), consent is one of the legal bases upon which controllers may rely to process personal data.
The GDPR defines a valid consent as a freely given, specific, informed and unambiguous indications of the individual’s wishes and restrictions apply to online services provided to children.
Given all the requirements, controllers, always eager to collect more personal data, must be careful when designing their consent process.
1. When should controllers obtain individuals’ consent?
Consent is only one of the six possible legal bases for processing personal data.
As individuals may withdraw their consent at any time, controllers should rely on individuals’ consent only where this is strictly necessary or required by specific law such as direct marketing laws.
For more details about the legal bases for processing, click here.
2. What is valid consent?
Under the GDPR, consent is any freely given, specific, informed and unambiguous indication of the individual’s wishes.
This indication must be a clear affirmative action such as a written statement, including by electronic means, or an oral statement. It can be a tick box, technical settings for information society services or another statement or conduct which clearly indicates in this context the individual’s acceptance of the proposed processing. Silence, pre-ticked boxes or inactivity should not be valid consent as it may be ambiguous.
The terms of the consent must be in clear and plain language and presented in a manner clearly distinguishable from other matters such as terms and conditions.
In this regard, the provision of services should not be conditional on consent to processing operations that are not necessary for the provision thereof (e.g. direct marketing via e-mail). In this case, individuals should have the possibility to agree to the terms and conditions of service and to refuse the additional processing operations.
Separate consent is necessary for each purpose of processing. The GDPR is unclear on this point as it states in various provisions that:
- consent should cover all processing activities carried out for the same purpose or purposes;
- when the processing has multiple purposes, consent should be given for all of them; and
- separate consent should be obtained for different processing operations.
We believe that the distinction between “activities”, “operations” and “purposes” is confusing but European Data Protection Board (EDPB) recommend, in its guideline on consent (December 2017), obtaining a separate consent per purpose.
Besides, the CJEU has also provided additional guidelines on what should be a valid consent (see here). In particular, the Court requires the controller to provide sufficient information to the data subjects so that they have full knowledge of the fact.
3. Other issues to take into consideration
The controller must be able to demonstrate they have obtained individuals’ consent and allow them to withdraw their consent at any time. The withdrawal must be as easy as the way to give consent.
When online services (e.g. Facebook etc.) are provided to individuals under 13 to 16 depending on the Member State, parents or any person having a legal authority must give their approval.
4. What is the risk of obtaining invalid consent?
Where the processing is/should be based on consent, processing personal data without valid individuals’ consent is subject to a fine of up to €20 million or 4% of the global annual turnover, whichever is higher.
Processing personal data without the necessary parents’ approval is subject to a fine of up to €10 million or 2% of the annual global turnover, whichever is higher.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.