In this article we guide you through the most important characteristics of consent under GDPR. We also talk about GDPR consent manager – a useful tool that helps you collect, manage, and store all the relevant data in alignment with the new EU law.
New rules around consent can lead to a lot of sleepless nights. However, it must be remembered that the new Regulation was created for a reason – to protect users’ privacy and to help restore trust and transparency of activities between ordinary people and the entities which process their data.
Studies show that there’s a lot of work to be done. “The 2017 State of Consumer Privacy and Trust” survey conducted by Gigya found that 68% of respondents don’t trust brands to handle their personal information appropriately. A telling result, right?
Now it’s about to change.
Ok, but what exactly is going to change?
As you surely know, GDPR introduces some major shifts in many aspects of processing users’ data.
The new law also makes significant changes in the definition of consent. Here’s a comparison of the new definition of “consent” and the one from 1995.
EU Directive 95-46-EC:
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
As you can see, GDPR introduces a new clause, as consent now must be unambiguous and involve a clear affirmative action.
A Practical Guide to Acquiring Consent in the Age of GDPR
Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliantDownload FREE Guide
What it really means
It’s enough to say that the definition of consent is rather general and doesn’t provide you with actionable tips for your compliance strategy. But don’t be afraid! Fortunately, there are many documents and guidelines interpreting the provisions of GDPR.
Consent as understood by Article 29 Working Party
One of the most important (and helpful!) of these guidelines is the one prepared by Article 29 Working Party. Their “Guidelines on Consent under Regulation 2016/679” contain an overview of the elements of valid consent under Article 4(11) of GDPR (“freely given”, “specific”, “informed”, and “unambiguously indicated”).
Here you can find what Article 29 Working Party has to say about the particular adjectives used in the definition:
“The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.”
This point is particularly helpful, because it makes it easier to determine whether visitors of your website can freely decide if they want you to process their data. Unfortunately, this won’t be the case with data controllers who are public authorities and employers – the balance of power is skewed and there is a risk that users’ consents will not be fully voluntary.
Such an organization should use one of the five other lawful processing means (yes, there’s five more of them).
Also, it’s important to emphasize that consent should never be a prior condition for using your site or taking advantage of your services. For instance, it can’t be included in the terms and conditions of a website. This prevents the user from having a free choice when making decisions regarding consent.
Important tip: If you can’t provide your users with a genuinely free choice regarding the processing of their data, consent is not the best legal grounds for you to choose. In this scenario, you should seek other ways to justify your right to process users’ personal data.
“Article 6(1a) confirms that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. This requirement has not been changed by the GDPR and remains closely linked to the requirement of ‘informed’ consent. At the same time it must be interpreted in line with the requirement for ‘granularity’ to obtain ‘free’ consent. In sum, to comply with the element of ‘specific’ the controller must apply:
– Purpose specification as a safeguard against function creep,
– Granularity in consent requests, and
– Clear separation of information related to obtaining consent for data processing activities from information about other matters.”
As you can see, the Article 29 Working Party guidelines advise you to indicate every possible purpose for using user data. That way, you’ll make sure they give you “specific” consent for processing their data in a particular way.
In practice, this means you’ll need a separate consent for every use of personal data. For example: one for content personalization activities and another for remarketing campaigns; one for using first-party cookies and another for third-party cookies. All these should be listed in the consent box displayed to users when they visit your page for the first time.
However, it’s likely that not every purpose for using personal data will require direct user consent.
Some experts predict that the Regulation on Privacy and Electronic Communications (also known as “ePrivacy”) in its current (and still not final) form will exclude from this list, among other things, cookies used exclusively for analytics purposes.
Unfortunately, we still have to wait to see how everything unfolds when the regulation assumes its final form. Until then, it’s safe to assume that using web analytics trackers will also require consent.
If you’d like to learn more about ePrivacy, we advise you to read these blog posts. They offer a thorough overview of the subject:
– How ePrivacy Impacts Marketing Automation, Re-marketing, Personalization and Web Analytics
– Current state of the ePrivacy Regulation as it enters the home stretch
Important tip: Make sure that your cookie consent box lists every purpose you have for using personal data. Otherwise, you can’t say that your users’ consents were “specific”.
“The GDPR reinforces the requirement that consent must be informed. Based on Article 5 of the GDPR, the requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects prior to obtaining their consent is essential in order to enable them to make informed decisions, understand what they are agreeing to, and for example exercise their right to withdraw their consent. If the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.
The consequence of not complying with the requirements for informed consent is that consent will be invalid and the controller may be in breach of Article 6 of the GDPR.”
The most important thing in this case is the fact that you must clearly explain to people what they are signing up for. Individuals should be informed that they are consenting to the processing of their personal data. Additionally, they should be aware of their rights concerning the given consent, like the right to withdraw it, the right to correct their data, and other rights.
Also, the request for consent needs to be:
- easy to understand,
- separate from other terms and conditions, and
- presented in plain language.
If your consent request doesn’t meet this requirements (in other words, it’s vague, difficult to understand, or not separate from other matters) it will be considered invalid.
“The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.
A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing. Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.”
As you can see, the word “unambiguous” suggests that there should be no doubt that the data subject has agreed to the data processing. Later in the guidelines the WP29 provides more information on the range of possible mechanisms by which data subjects can take a clear affirmative action. It includes:
- ticking a box,
- swiping on a screen,
- waving in front of a smart camera,
- turning a smartphone around clockwise or in a figure-eight motion.
It means that the consent is considered valid only when the data subject had to take action in order to agree to your request. Pre-clicked boxes are no longer an option.
A helpful guide to GDPR Consent Manager
We hope that all these requirements haven’t scared you too much. Of course, the new demands change many things in the way you deal with data, but there are a ranges of solutions and possible scenarios to ensure compliance with the new law.
That’s why we decided to put together an exhaustive guide on collecting user consents under GDPR. We’ve titled it “A Practical Guide to Acquiring Consent in the Age of GDPR”, and it will:
- describe more characteristics of proper GDPR consent,
- present you with actionable tips on consent prepared by the Information Commissioner’s Office and the Article 29 Working Party,
- show you some practical examples of GDPR-compliant consent requests,
- discuss five more legal grounds for processing user data,
- detail the most important principles of storing user consents,
- and much more!
What’s more, we’ll present the most important advantages of GDPR Consent Manager – a tool designed to collect, manage, and store user consents.
Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant.
Download FREE Guide