One of the most misunderstood aspects of the GDPR (General Data Protection Regulation) is its consent requirements.
Many people believe that organisations must get consent to process personal data, but that’s not true. Consent is only one of the six lawful grounds you can seek, and it’s generally regarded as the least preferable option.
Where possible, you should seek one of the following alternatives:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
You only need to seek consent when you can’t justify any of these lawful grounds.
What are the requirements for obtaining consent?
Consent requests must be specific and informed. In other words, it must be sought in a document that’s readily available and written in simple language that leaves no room for misinterpretation.
The GDPR also states that consent must be freely given. This means that there cannot be any negative consequences of not agreeing to the terms.
An example of this is when an employer uses consent to process staff data. Employees might understandably fear for their job security, or at least their social standing at work, if they refuse to consent to certain data practices.
The concept of negative consequences generally applies whenever there is an imbalance of power between the organisation seeking consent and the data subject. Other examples include interactions between tenants and letting agents, and applications for jobs, schemes and prizes.
Similarly, consent should not be a precondition of signing up to a service unless necessary for that service.
Opt in vs opt out
Consent must be given with a clear affirmative action. This means the request should comprise a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
Examples of lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as optional fields in a form); and
- Dropping a business card into a box.
This list isn’t exhaustive, but the point is that consent requests need the individual to provide a clear positive action. Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.
Writing your request form
Consent requests must:
- Be separate from other terms and conditions
- Give a thorough explanation of options to consent to different types of processing wherever appropriate.
- State which organisation and third parties will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
You should also make it clear that data subjects have the right to withdraw their consent at any time, and explain how they can do so. Consent must be as easy to withdraw as it is to give.
Requesting children’s consent
Individuals will only be able to give consent if they are over a certain age. Under the GDPR, the default age at which this happens is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16. For example, the UK, the Republic of Ireland and Spain set the age at 13, Germany and the Netherlands stuck with 16 and Austria has opted for 14.
If an organisation is trying to collect the data of a person younger than this, consent needs to be given by someone with “parental responsibility”. The organisation must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.
There is an exception to this. Minors have autonomy over any data that’s collected “in the context of preventative or counselling services offered directly to a child”. This means that, for example, if a child tells a teacher that they are being abused, the school doesn’t need to get consent from the parental figure to report the incident to the authorities.
The trouble with consent
Under the GDPR, individuals are given more control of their data, which means using consent can be dangerous and time-consuming.
For instance, if you are using consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you must remove them from your records. If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.
Additionally, as Rowenna Fielding writes on her blog, if a data subject withdraws their consent and you then realise you have a legal obligation to continue processing the data, you’ll find yourself in a catch-22 situation: either you breach privacy law by processing that data after consent has been withdrawn or you fail to meet your legal obligation to process that data.
Looking for more GDPR compliance help?
You can learn more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
The updated second edition of this essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements. It covers everything you need to know about the Regulation, including:
- Data subjects’ rights;
- How to gain lawful consent;
- Managing consent withdrawal;
- Fulfilling DSARs (data subject access requests);
- How to complete DPIAs (data protection impact assessments);
- Whether you need to appoint a DPO (data protection officer);
A version of this blog was updated on 30 August 2017.