END-USER CONSENT UNDER GDPR

What is consent and types of consent?

If a company wants to collect/process the personal data of any individual, there are certain conditions where such an activity would be considered lawful. GDPR provides six legal bases for the processing of personal data- Contract, legal obligations, vital interests of the data subject, public interest, legitimate interest, and consent of the data subject.

Consent is a complicated part of the GDPR as it is not easy to ensure the validity of consent in practice due to the scope and nature. While GDPR provides control in the hands of the users when it comes to their rights over their private data, Consent goes one more step and provides a stronger hold.

Consent could be implied or expressed. Implied consent essentially means that there exists probable reason to believe that the data subject will provide their consent when asked for it. E.g., a business would assume that a regular customer has consented to receive emails from them. Expressed consent refers to a genuine choice made by the data subject after understanding the process and its implications and consequences. While many various privacy laws recognise both types of consent, GDPR only considers expressed consent. Explicit for sensitive personal data

Essential conditions regarding consent?

GDPR does not recognise implied consent as valid.

Article 7 of the GDPR defines consent as “any freely given, specific, informed and unambiguous […] clear affirmative action“

Hence, as per GDPR, there are five elements of consent, namely-

1. Freely given: consent needs to be voluntarily provided without any pressure or any repercussions of refusal. This implies a genuine choice by the data subject.
2. Specific: The consent should be clearly defined in clear terms regarding the purpose of processing. 
3. Informed: The end-user should be provided with complete information regarding the processing activities they are consenting for. The data subject must be informed about the controller’s identity, the type of data collected and processed, the purpose of processing, their rights to withdraw consent, possible risks and consequences etc. 
4. Unambiguous: The question asked must be in clear and straightforward language in a concise form. Consent cannot be implied. 
5. Clear affirmative action: Providing consent is an act. It needs to be given in the form of a clear statement.

Consent for children

Children’s consent is a particular case, as there is an additional consent/ authorisation requirement from parents/guardians for children under the age of 16. However, if a service is not explicitly offered to children, it is exempted from this rule. This does not apply to services provided to both children and adults.

Consent Management

When we talk about consent, we also need to talk about consent management. Consent has a lifecycle- it starts from the collection of data and continues throughout the entire duration of the data collection while also providing an option to withdraw said consent. A controller should ensure the maintenance and implementation of a comprehensive consent management system that covers the entire consent lifecycle in compliance with GDPR.

Things to keep in mind

It is essential to implement the five critical elements in consent every time you ask for consent from data subjects.

• Do not use pre-ticked boxes as they are not considered valid expressed consent.
• Provide complete information regarding the use of collected data in your privacy policy
• Consider including a “double opt-in.” 
• Include an unsubscribe option to withdraw consent easily.
• Do not try to trick data subjects into consenting, and do not withdraw services in case they choose not to consent.
• Consent should not be hidden in the privacy policy or terms and conditions; it should be collected in a way distinguishable from other matters.
• The controller’s identity and purposes of processing shall be informed to the end-user in plain and straightforward language.
• Silence or inactivity shall not be construed as consent.

Conclusion

While consent is one of the best-known and understood legal grounds for data collection, it is not always the best and most appropriate option. 

Data privacy professionals advise controllers to avoid depending on consent as a sole legal basis for processing personal data. As such, consent can be withdrawn, and end-users can also request to have all their data removed. Further, consent is only one of the six legal grounds that GDPR provides for. 

Knowing when to ask for consent is the key. For example, when you’re processing data which would have minimal impact on individuals but provide benefits to your business and others, then you can use legitimate interests as a legal base, but when you are tracking cookies or sharing personal data with other companies for commercial purposes then asking for consent is the right way to go. 

References

• Connecticut is the fifth state to enact a data privacy law.
• It is also known as ‘The Act of Concerning Personal Data Privacy and Online Monitoring’ or the ‘Connecticut Data Privacy Act (CDPA)’. 
• Governor Ned Lamont passed this law on May 4, 2022.
• It will come into effect on July 1, 2023. All organizations have 14 months left to meet the specific standards set by the state.
• The Connecticut Data Privacy Law follows the similar patterns of the privacy laws of Utah, Colorado, California, and Virginia.
• This law allows consumers to refrain from sharing their personal and sensitive personal data for matters related to target advertising, selling, and profiling.
• Local state governments, non-profit organizations, and similar entities are exempted from this law.
• Refusing to follow this law can result in a fine of up to $500 per personal data that is misused. These fines can reach up to $500,000 if any of the information is misused or disclosed improperly.