NEW RELEASE

END-USER CONSENT UNDER GDPR

END-USER CONSENT UNDER GDPR

Article by Tsaaro

7 min read

Table of Contents

END-USER CONSENT UNDER GDPR

What is consent and types of consent?

If a company wants to collect/process the personal data of any individual, there are certain conditions where such an activity would be considered lawful. GDPR provides six legal bases for the processing of personal data- Contract, legal obligations, vital interests of the data subject, public interest, legitimate interest, and consent of the data subject.

Consent is a complicated part of the GDPR as it is not easy to ensure the validity of consent in practice due to the scope and nature. While GDPR provides control in the hands of the users when it comes to their rights over their private data, Consent goes one more step and provides a stronger hold.

Consent could be implied or expressed. Implied consent essentially means that there exists probable reason to believe that the data subject will provide their consent when asked for it. E.g., a business would assume that a regular customer has consented to receive emails from them. Expressed consent refers to a genuine choice made by the data subject after understanding the process and its implications and consequences. While many various privacy laws recognise both types of consent, GDPR only considers expressed consent. Explicit for sensitive personal data

Essential conditions regarding consent?

GDPR does not recognise implied consent as valid.

Article 7 of the GDPR defines consent as “any freely given, specific, informed and unambiguous […] clear affirmative action

Hence, as per GDPR, there are five elements of consent, namely-

  1. Freely given: consent needs to be voluntarily provided without any pressure or any repercussions of refusal. This implies a genuine choice by the data subject.
  2. Specific: The consent should be clearly defined in clear terms regarding the purpose of processing. 
  3. Informed: The end-user should be provided with complete information regarding the processing activities they are consenting for. The data subject must be informed about the controller’s identity, the type of data collected and processed, the purpose of processing, their rights to withdraw consent, possible risks and consequences etc. 
  4. Unambiguous: The question asked must be in clear and straightforward language in a concise form. Consent cannot be implied. 
  5. Clear affirmative action: Providing consent is an act. It needs to be given in the form of a clear statement.

Consent for children

Children’s consent is a particular case, as there is an additional consent/ authorisation requirement from parents/guardians for children under the age of 16. However, if a service is not explicitly offered to children, it is exempted from this rule. This does not apply to services provided to both children and adults.

Consent Management

When we talk about consent, we also need to talk about consent management. Consent has a lifecycle- it starts from the collection of data and continues throughout the entire duration of the data collection while also providing an option to withdraw said consent. A controller should ensure the maintenance and implementation of a comprehensive consent management system that covers the entire consent lifecycle in compliance with GDPR.

Things to keep in mind

It is essential to implement the five critical elements in consent every time you ask for consent from data subjects.

  • Do not use pre-ticked boxes as they are not considered valid expressed consent.
  • Provide complete information regarding the use of collected data in your privacy policy
  • Consider including a “double opt-in.” 
  • Include an unsubscribe option to withdraw consent easily.
  • Do not try to trick data subjects into consenting, and do not withdraw services in case they choose not to consent.
  • Consent should not be hidden in the privacy policy or terms and conditions; it should be collected in a way distinguishable from other matters.
  • The controller’s identity and purposes of processing shall be informed to the end-user in plain and straightforward language.
  • Silence or inactivity shall not be construed as consent.

Conclusion

While consent is one of the best-known and understood legal grounds for data collection, it is not always the best and most appropriate option. 

Data privacy professionals advise controllers to avoid depending on consent as a sole legal basis for processing personal data. As such, consent can be withdrawn, and end-users can also request to have all their data removed. Further, consent is only one of the six legal grounds that GDPR provides for. 

Knowing when to ask for consent is the key. For example, when you’re processing data which would have minimal impact on individuals but provide benefits to your business and others, then you can use legitimate interests as a legal base, but when you are tracking cookies or sharing personal data with other companies for commercial purposes then asking for consent is the right way to go. 

References

Leave a Reply

Your email address will not be published.

user

White Paper Personal Data Protection Law In this White Paper, we will enumerate and elucidate the various provisions of PDPL, …

user

In a world where data is the new oil, a threat to data is directly proportional to a threat to …

user

A moreprivate, open web accessible to everyone. IntroductionIn August 2019, Google announced a new initiative (known as Privacy Sandbox) to …

user

Introduction South Korea’s data protection watchdog recently imposed a hefty penalty on a startup for leaking a massive amount of …

user

DOMINOS INDIA DATA BREACH. Introduction Pizza delivery service Dominos India is the latest victim of a massive data breach that …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them