What is GDPR consent?
What are the GDPR consent requirements?
Why is consent important for GDPR compliance?
In this article, we’ll discuss the notion of consent in detail.
We’ll look at the legal definition of consent, consider what is valid consent, what information must be provided to data subjects to get their consent and possible consequences of non-compliance.
Are you ready?
Let’s get started!
Table of Contents
What is consent under GDPR?
Consent is one of the six lawful basis outlined in GDPR allowing companies to process personal data.
Legal definition of consent under GDPR
Let’s first define consent under GDPR by looking at the text of the law.
Article 4(11) GDPR defines consent as follows:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Article 6 GDPR then outlines that companies can lawfully process personal data based on the consent of the data subject.
GDPR states the following:
“Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
Then, Article 7 GDPR provides for additional conditions related to consent by stating the following:
- “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Definition of consent in a nutshell
In a nutshell, we can summarize the GDPR consent requirements as follows:
- Processing of personal data can be lawful if it is based on the consent of the data subject
- Consent must be freely given and be specific as to its purpose
- The purpose is very clearly explained in simple terms
- The data subject must provide a statement or take action showing explicit consent
- Companies must be able to prove that they processed personal data based on consent
- Data subjects have the right to withdraw their consent
- Companies cannot force a person to give consent by imposing conditions
Why is consent important?
For organizations to process personal data of individuals in Europe, they must comply with GDPR.
Luckily, consent is one of the six lawful basis for processing personal data as outlined in Article 6 of the regulation.
If a company is unable to justify its data processing activities under any of the lawful grounds for data processing, it can always opt to get the consent of the data subject to legitimize its data processing activities.
When obtaining the explicit consent of an individual, companies can effectively manage their risk exposure with regards to GDPR non-compliance.
However, when seeking individual consent, companies must ensure they provide the data subjects with the ability to exercise their rights associated with their personal data.
Such rights include the right to be forgotten, data portability, right to restrict data processing, right to object and so on.
With consent comes responsibilities specific responsibilities.
What are the benefits of relying on consent for data processing?
GDPR embodies certain foundational principles relating to personal data handling and processing.
Organizations must comply with the seven GDPR guiding principles when engaging in data processing activities.
These principles are the following:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
The benefit of obtaining consent from a data subject to process the person’s data is that it allows organizations to prove compliance with the seven GDPR principles.
For example, informing the data subject as to why you are collecting his or her personal data, for what purpose, for how long and to whom you will transfer the data are beneficial in demonstrating compliance with GDPR.
This allows you to demonstrate you’ve processed data lawfully, fairly and in a transparent way.
Also, to get consent, you must disclose your purpose.
This will help you prove compliance with the principle of purpose limitation.
When you inform the data subject for how long you’ll process the data, you’ll comply with the storage limitation principle.
These are important benefits as violations of the GDPR principles can get quite expensive.
Is it mandatory to get consent to process personal data?
It is not mandatory to get a person’s consent to process their data.
In fact, consent is one of six lawful basis outlined in GDPR to process personal data.
A company can process personal data provided they can prove the data processing activities relate to any of the following lawful basis:
- Based on the consent of the data subject
- To enter into a contract or perform contractual obligations
- Compliance with legal obligations
- In the public interest
- Vital interest of the data subject
- Legimitate interest of the controller
You can read our article on the lawful basis for processing data under GDPR for more information on this topic.
In what situation should a company get the consent of the data subject?
Every organization’s data processing reality is different.
There is no cookie-cutter solution for all organizations.
Here is what you should consider as a general principle to decide if you should get a data subject’s consent:
- Are there other lawful basis for processing personal data you can take advantage of?
- Are you collecting personal data in a way that is intrusive to a data subject?
- Are you using personal data strictly for the purpose it was originally collected?
- Are you transferring data to third parties?
- Are the potential third parties using that data in compliance with the purpose based on which you collected the data?
- How sensitive is the data?
These are some leading questions to help you decide if you should get consent from a data subject or not.
Remember, getting a person’s consent can legitimize many types of data processing activities that you may not have an alternative lawful basis to justify.
What is a valid consent based on GDPR?
For consent to be valid under GDPR, it must comply with the requirements of GDPR.
Article 4(11) GDPR defines consent as follows:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Therefore, consent must be:
- Freely given
- Specific
- Informed
- Unambiguous indication
Freely given
For consent to be freely given, it means that a person must have a real choice to give or not to give consent.
At the end of the day, this comes down to the individual having real and true control over their personal data.
Consent can be freely given when:
- A person can accept or reject giving consent without any adverse consequences
- A person has the right to withdraw consent at any time and not be ‘stuck’ with the decision
- Consent should be for a specific purpose and not bundled into other terms and conditions
Consent is presumed not to be freely given when it was bundled into other terms and conditions or is imposed as a condition of service.
Recital 43 of GDPR states that consent is presumed not to be freely given “if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.
Specific
Consent must be given for a specific purpose.
Consent must cover all the different data processing activities you intend to subject to the data subject’s consent.
Whenever it’s possible, data subjects should be advised as to the different ways your company will process their data.
The consent of the person must be received for every distinguishable purpose in a granular way and not bundled.
You do not need to get consent for secondary processing activities that are inherently necessary to achieve the objectives of the purpose.
If the purposes for which data will be used are different, you need consent for each purpose.
If your company processing operations change over time and the purpose evolves, you must make sure that you establish procedures to request the consent of the data subject based on your new company processing realities.
Informed
Consent must be informed.
This means that the data subject must understand what he or she is consenting to.
In addition, companies must also comply with their duty to be fair and transparent to the data subjects by providing them disclosure of relevant information about their data processing operations.
When asking for someone’s consent, you need to be clear, specific and use plain language so people can truly understand.
Your consent can be considered as invalid if it was too confusing, too difficult to understand, too technical for a normal person to understand or even too broad.
Article 13 GDPR and Article 14 of GDPR define explicitly the duty of a company to disclose some level of information about its processing activities.
This is called the duty to provide privacy information.
Unambiguous indication
Consent must be expressed in such a way that there is an unambiguous indication of the data subject’s wishes.
In other words, it must be really obvious that a data subject has agreed to give consent.
There must be no misunderstanding about the consent.
If there is doubt as to whether a person consented or not, that consent will not be considered as valid.
Recital 32 of GDPR states that consent must be given by a clear affirmative act.
When we say a clear and affirmative act, we mean that the person must take a step, take an action or do something to express their consent.
More commonly, we refer to this type of consent as explicit consent or opt-in consent.
Companies cannot rely on implied consent or inferred consent as a valid type of consent under GDPR.
To give consent, the data subject must do something, period.
When is consent considered invalid or inappropriate?
An invalid consent or consent that is inappropriate for the processing purpose can expose a company to significant fines.
In what situation can consent be considered invalid or inappropriate?
Here are some examples:
- You do not disclose the actual purpose for collecting data
- You get consent from a person by limiting the services they are entitled to
- You continue to process personal data when consent was withdrawn
- You did not provide sufficient information as required by GDPR to get consent
- You did not have the data subject explicitly accept or reject the request for consent
Examples of invalid consent
The Information Commissioner’s Office in the UK has published a nice list providing different scenarios when consent may be invalid.
They indicate that consent may be invalid for the following reasons:
- you have any doubts over whether someone has consented;
- the individual doesn’t realise they have consented;
- you don’t have clear records to demonstrate they consented;
- there was no genuine free choice over whether to opt in;
- the individual would be penalised for refusing consent;
- there is a clear imbalance of power between you and the individual;
- consent was a precondition of a service, but the processing is not necessary for that service;
- the consent was bundled up with other terms and conditions;
- the consent request was vague or unclear;
- you use pre-ticked opt-in boxes or other methods of default consent;
- your organisation was not specifically named;
- you did not tell people about their right to withdraw consent;
- people cannot easily withdraw consent; or
- your purposes or activities have evolved beyond the original consent.
To ensure that the consent you obtain from a data subject is valid, you should carefully assess the GDPR requirements to draft a consent request script and devise a consent mechanism in compliance with GDPR.
Can consent be obtained as a condition of service?
Generally speaking, if an organization believes that it needs to process personal data to render its contractual services to the data subject, companies can opt to process data based on the lawful basis of necessity for contractual performance.
In other words, you do not need to get explicit consent from the data subject as a condition of service.
If you intend to get consent as a condition of service, you must ask yourself if you need to get the consent.
Imposing a condition to get consent from a data subject to render services can be highly problematic.
Recitals 43 of GDPR states that consent is presumed not to be freely given if the services depend on such consent when it’s not necessary for the performance of the service.
Companies are perhaps better advised to rely on the lawful basis of legitimate interest to process personal data if it’s necessary for the rendering of their services to the data subject.
This can result in less risk for the consent to be invalid in light of the presumption created under Recital 43 of GDPR when consent is bundled as a condition of service.
Can I get Implied consent or GDPR opt-out?
The threshold for valid consent under GDPR is very high.
Consent cannot be implied and must always be given explicitly.
In other words, consent under GDPR is opt-in and not opt-out.
The legal definition of GDPR is very clear about this.
Article 4(11) GDPR defines consent as follows:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The definition of GDPR consent is that the person must provide a statement or through a clear action or step, demonstrate his or her agreement with the processing of personal data.
You cannot present an online consent form with a box already ticked for a person to simply “agree”.
You must make the person click a button, enter something in a field, take a step in demonstrating they agreed or rejected the consent request.
Consent requirements under the e-Privacy directive
Companies must also respect the consent obligations in regards to the e-Privacy directive, to the extent it applies to them.
By referring to the e-Privacy directive, we are referring to the Privacy and Electronic Communications Directive 2002/58/EC.
The e-Privacy directive deals with:
- Data retention
- Unsolicited e-mails
- Cookies
- Confidentiality of information
- Treatment of traffic data
- Spam
The European Union is considering bringing significant changes to the e-Privacy directive and replacing it with an e-Privacy regulation.
That e-Privacy regulation discussions are ongoing for the moment and until it is adopted, the e-Privacy Directive will continue to apply to marketing emails, website cookies, online tracking methods and applications downloaded on a person’s computer or device.
For how long is consent valid?
The answer will be different for every organization.
There is no specific rule as to how long consent will remain valid or for how long a company can process personal data based on the consent received.
It’s all a matter of circumstances.
If you obtained consent for a specific purpose today and in a month, the purpose evolves, you need to get new consent.
If you obtained consent today for a specific purpose and that purpose remains the same for a year and you don’t need to collect any additional personal information, then your consent may remain valid.
The principle of accountability outlined under GDPR requires that companies prove their compliance with GDPR.
It would be a good idea to have a process where you reassess the purpose of data collection and ensure your data processing activities remain aligned with that purpose.
If the processing operations have changed or evolved, you’ll immediately need to get consent based on the newly evolved purpose.
How can a company request the consent of a data subject?
If a company intends to rely on consent to process personal data, then it must ensure requests consent without compromising its validity.
The requirements are pretty straightforward.
You should write your consent request by observing the following parameters:
- Ask for consent for each specific purpose
- Don’t bundle your consent with other service conditions
- Don’t use complicated language
- Don’t use technical jargon
- Write your content so an average person can understand
- Be short and sweet
- Don’t use general or overly broad terms
What should a company disclose to a data subject to get consent?
Companies have an obligation to provide some privacy disclosures to the data subject before collecting and processing their personal data.
Article 13 GDPR lays out the obligations of a company to provide information when personal data is to be collected directly from the data subject.
Article 14 GDPR lays out the obligation of a company to provide information when personal data is not obtained directly from the data subject.
Let’s look at each of these scenarios.
Disclosure when personal data is collected from a data subject
Article 13 GDPR requires that a data controller minimally provide the following information so that a data subject’s consent can be informed:
- Identify the company collecting the data and contact details
- Contact details of the data protection officer if the company has one
- What are the purpose of collecting personal data and the legal basis for the processing
- If the processing is necessary for the legitimate interest pursued by the company based on Article 6(1)(f), the details of the legitimate interest should be disclosed
- Who are the recipients or category of recipients
- If the company intends to transfer personal data to a third country having an adequacy decision or not or make reference to the appropriate safeguards such as a legally binding and enforceable contract or binding corporate rules
- For how long personal data will be stored
- Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability
- If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done before the withdrawal
- The person’s right to file a complaint with a supervisory authority
- Notification of the need for personal data is a legal requirement or a contractual one, or necessary for the organization to enter into a contract with the person along with the possible consequences if the information is not given
- Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences
Granted, trying to be concise while at the same time be specific may be challenging or even sound contradictory.
Companies can use different ways of getting consent.
One way that can work is a layered level of consent.
This way, you drill into the different aspects of the consent as needed.
Disclosure when personal data was not collected from the data subject
Article 14 GDPR requires that a data controller minimally provide the following information so that a data subject’s consent can be informed:
- Company’s identity and contact information
- Contact details of their data protection officer if they have one
- The reason or purpose why they are processing personal data and the legal basis
- The category of personal data
- The recipients of the personal data
- If the company intends to transfer personal data to a third country having an adequacy decision or not or make reference to the appropriate safeguards such as a legally binding and enforceable contract or binding corporate rules
- For how long personal data will be stored
- If the processing is based on the company’s legitimate interest, a description of its interests
- Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability
- If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done before the withdrawal
- The person’s right to file a complaint with a supervisory authority
- The source where the personal data was obtained and if the data came from a public source
- Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences
In what way can a company collect the consent of a data subject?
Companies can be creative and innovative in the methods they use to get consent.
The Information Commissioner’s Office in the UK provides examples of active opt-in consent mechanisms:
- “signing a consent statement on a paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent;
- answering yes to a clear oral consent request;
- volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.”
Companies should consider their specific needs and devise a consent mechanism that will allow GDPR compliance and does not disrupt the user experience.
Data subject’s right to withdraw consent
A data subject should be able to give or withdraw consent at any time.
Withdrawing consent must be easy and should not adversely impact the data subject’s rights.
What’s more, withdrawing consent should not be complicated or require the data subject to go through red tape.
At any time and in a simple and easy way, a data subject should have the ability to exercise his or her right to withdraw consent.
If a person suffers a detriment by withdrawing consent, under GDPR, that consent can be considered as invalid as it may not have been freely given.
What are the fines associated with not getting consent?
GDPR provides for heavy fines when a company violates its obligation with respect to getting explicit consent from a data subject.
If you get an invalid consent or a consent inappropriate for the intended data processing purpose, Article 83(5) GDPR allows the supervisory authorities to issue administrative fines that can go up to the higher of either 20,000,000 Euros or 4% of a company’s annual worldwide turnover.
In addition to such fines, companies will also suffer reputational damages on the market for inadequately managing their data privacy and data protection obligations.
GDPR Consent: Takeaways
Consent is one of the six lawful basis outlined in GDPR allowing companies to process personal data.
Companies should evaluate if they need to get a data subject’s consent for the processing of their data.
A company can process personal data provided they can prove the data processing activities relate to any of the following lawful basis:
- Based on the consent of the data subject
- To enter into a contract or perform contractual obligations
- Compliance with legal obligations
- In the public interest
- Vital interest of the data subject
- Legimitate interest of the controller
If a company can justify processing data on a lawful basis aside from consent, they should consider it.
At the end of the day, there is no cookie-cutter method for companies to comply with GDPR relating to the consent requirements.
To decide if you should the data subject’s consent, here is what you should consider as a general principle:
- Are there other lawful basis for processing personal data you can take advantage of?
- Are you collecting personal data in a way that is intrusive to a data subject?
- Are you using personal data strictly for the purpose it was originally collected?
- Are you transferring data to third parties?
- Are the potential third parties using that data in compliance with the purpose based on which you collected the data?
- How sensitive is the data?
If a company needs to get the consent of data subjects, it must ensure that consent respects the following parameters:
- Is freely given
- Is specific
- Is informed
- Is unambiguous indication
If not, the consent can be invalid and expose the company to severe fines under GDPR.
In this article, we’ve discussed the notion of consent under GDPR in detail.
Use it as your go-to-guide to make sure you remain compliant with GDPR.
How does GDPR get consent?
You can get consent in many ways under GDPR by:
1- signing a consent form
2- checking a box electronically
3- clicking on a “agree” button
4- ticking an “agree” box
5- clicking on a hyperlink
6- responding to an email
7- verbally saying yes or no
Can you get verbal consent for GDPR?
Although GDPR does not explicitly prohibit verbal consent, companies have an obligation to provide that a data subject made a statement or by clear affirmative action, signifying his or her unambiguous intention to give consent or not. Relying on an undocumented verbal consent may hamper the company’s ability to demonstrate compliance with GDPR.
How long is consent valid for under GDPR
GDPR does not expressly define a timeline for how long a consent will remain valid. Companies have an obligation to process data strictly based on the purpose for which it was collected. If the purpose changes over time or evolves, companies must get a ‘new’ consent from the data subject. For every organization, the timeline can be different. I can be a few months or even a year. Companies should have a process to continually assess their data processing operations to ensure compliance with GDPR.