Under the GDPR, consent needs to be “…freely given, specific, informed and unambiguous…” In other words, consent will only be validly given where there is a clear statement or conduct by an individual which indicates his/her acceptance of the proposed processing. Accordingly, the following will no longer be satisfactory evidence of consent:
- silence on the part of an individual;
- pre-ticked boxes in relation to processing;
- any inactivity/passivity by the individual.
The GDPR hammers home this message by providing further specific guidance in both the Articles and Recitals. From these, organisations must be aware that they need to:
- clearly distinguish the individual’s consent to processing personal data from any other consents given to the relevant organisation;
- clearly identify the organisation processing personal data and the intended purposes of such processing for any consent given to be informed;
- ensure that consent is revocable by the individual at any time – it remains possible for the individual to withdraw his/her consent at any time in the future and, moreover, the organisation processing data must make it as easy for consent to be withdrawn as it was to provide consent in the first place;
- ensure that where the entering into an agreement to provide goods/services is made conditional on an individual consenting to the processing of personal data, such consent is necessary in order to carry out the contractual obligation – where such consent is not necessary for the contract to be performed, there is a real risk that consent obtained in this manner will not be valid in terms of justifying processing.
Finally, it should also be noted that there are now new, specific rules in relation to the obtaining of consent from children. Where children are receiving some form of online service, the general presumption is that parental/guardian consent must be obtained for children under 16, although member states do have the right to reduce this age to no lower than 13 if they wish.
Action points to ensure consent to processing is validly obtained
Organisations should carry out a thorough review of the personal data they hold so that they are aware of what they hold and process and that any consent relied upon is legally valid. In order to do so, the following actions should be carried out:
- Is there a clear statement or positive action evidencing consent?
- Any existing procedures relying on pre-ticked boxes, silence or passivity need to be ended and replaced with compliant procedures;
- The identity of the data controller and intended purpose of processing should be made crystal clear.
- Consent may only be validly linked to the performance of a contract where the consent is necessary in order to carry out the intended service;
- Special rules apply in relation to children under 16;
- Explicit consent is still required to justify the processing of sensitive personal data.