Among the more significant changes under the GDPR are new limitations on the use of consent to permit the processing of personal data. Recent WP29 guidelines on consent expand on previous opinions (for example Opinion 15/2011 regarding the definition of consent or Opinion 06/2014 regarding the legitimate interests of data controllers) and confirm that the use of consent must pass a very high bar to be effective under the GDPR.
Consent is one of six lawful bases to process personal data under the GDPR. Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Generally, consent may only be relied upon as a proper basis for personal data processing if “a data subject is offered control and a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.” Among other effects, this definition limits the use of consent by public authorities and private employers to process employee data since, as many data regulators have already stated, employees are often afraid to withhold consent from their employers for fear of losing their jobs.
Consent requires a positive opt-in. Use of default consents, such as pre-ticked boxes, is not sufficient. Consent cannot be a precondition of service. Consequent requests should be kept separate from Terms & Conditions forms on webpages.
The WP29 guidelines also provide an important gloss on the process for withdrawing consent. The GDPR requires that for consent to be valid, it must be as easy for the data subjects to withdraw their consent as it was for the data controller to obtain it in the first instance. Data controllers who obtain consent through the use of click-wrap forms may therefore need to provide a similar one-click process to enable data subjects to withdraw their consent.
The WP29 guidelines provides additional context on the interpretation of other terms such as “freely given,” “specific,” “informed,” and “unambiguous indication of wishes” as well guidance on the use of consent from children and for scientific research.
The main takeaway for data controllers is that while consent is still a valid basis for processing personal data under the GDPR, obtaining consent is not a rote process. Data controllers must think carefully about the language and placement of consent requests, as well as the circumstances under which consent can be lawfully obtained.