The General Data Protection Regulation (GDPR) is now the foundation of online data protection legislation. As it governs all EU citizen personal data, the Regulation is not only applicable to EU-based organizations. Indeed, any website an EU citizen may potentially access is required to meet the GDPR standards
That’s especially relevant to the GDPR consent requirements.
Consent is at the core of the GDPR. The primary goal of the Regulation is to give EU citizens greater power over their personal data. That means knowing what is collected and being able to ask for it to be erased.
But what are the initial consent requirements? And how do you meet them?
Consent is a simple concept: you must ask permission to obtain or collect data from a person. Under the GDPR Article 4, consent is defined as:
“Consent of the data subject means any freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
That establishes a few fundamentals:
If any of these fundamentals are not followed, then the consent is not considered valid. That opens organizations up to significant fines and penalties.
Indeed, Google famously violated the consent conditions. As a result, they were hit with a €50 million fine. The French Data Protection authorities said that Google’s consent mechanism was neither “informed” nor “unambiguous” or “specific.”
The GDPR clarifies the definition of consent, in Article 7, by providing necessary conditions for consent (areas in bold highlight key points):
These clarifications add further caveats to the consent criteria of the GDPR, namely:
This allows the GDPR to remain compliant with other EU legislation, such as the Right to be Forgotten.
To “freely give” consent means to do so without coercion. However, the GDPR goes further. Recital 42 states, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The latter clause extends consent to encompass deals in which significant financial loss prevents a person from refusing.
Furthermore, as Recital 43 goes on, freely given consent must be provided for each data processing operation. For example, using an email address for marketing and an IP address for web analytics. Neither can be encapsulated in a single consent.
The former example highlights another key aspect: specificity. Consent must not be broader than necessary and should explain each data use separately.
So, the use of data for marketing purposes must be explained, followed by web analytics. This allows the data owner to be fully informed about the consequences of consenting.
Nor can consent be unambiguous, for instance, “silence, pre-ticked boxes, or inactivity.” Instead, consent must clearly indicate a data subject’s acceptance of the terms.
This is one of the most common pitfalls of consent forms. As the GDPR states, the consent must be written in “an intelligible and easily accessible form, using clear and plain language.” That means organizations cannot dress-up consent forms in diffuse, misleading technical jargon or legalese.
Rather, anyone must be able to understand the consent form regardless of prior expertise.
This was particularly important in the Google case. Here, French authorities took issue with the dilution of information on processing operations for the ad personalization. Thus, without adequate information, the data subject could not give their informed consent.
Data consent is understandably complex. Indeed, one in five respondents to a survey reported complete GDPR compliance is “impossible.”
That’s simply not the case.
Rather, write your consent forms in clear and easy-to-understand language, in which you explain the data collected and what it will be used for – clearly delineating each use. Then, provide an option for data subjects to rescind their consent.
For further information, please refer to the 88-page Regulation itself.