On March 2, 2017, the UK Information Commissioner’s Office (ICO) published its draft General Data Protection Regulation (GDPR) consent guidance, and called for comments on the guidance. The consultation is open until March 31, 2017. The ICO will issue final guidance in May 2017.
The guidance is detailed, and references the various GDPR Articles and recitals and previous Article 29 Working Party opinions on which it is based. The guidance is also conservative and keen to emphasize the heightened consent requirements that the GDPR mandates (over and above the current data protection law), particularly in the UK.
GDPR Changes to Consent
The ICO guidance emphasizes the following changes to the consent requirements (as the ICO interprets them):
- The GDPR sets a high standard for consent, and the ICO expects a significant change for companies’ consent mechanisms.
- The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action.
- The GDPR requires consent to be separated from other terms and conditions. It should not generally be a precondition of signing up for a service.
- The GDPR specifically bans pre-checked opt-in boxes.
- The GDPR requires granular consent for distinct processing operations.
- The GDPR requires organizations to keep clear records to demonstrate consent.
- The GDPR provides a specific right to withdraw consent, and requires organizations to notify individuals of their right to withdraw consent and to offer easy means to withdraw consent at any time.
- Public authorities, employers, and other organizations in a position of power over individuals whose consent they are seeking are likely to find it more difficult to get valid consent.
- Organizations need to review existing consents and their consent mechanisms to check whether they meet the GDPR standard. If they do, there is no need to obtain new consent.
Key Consent Guidance
- The GDPR requires privacy notices to name third parties that will rely on consent: Organizations relying on the consent must be named, and even precisely-defined categories of third-party organizations will not be acceptable under the GDPR. This will be particularly problematic for third parties who do not have a touch point with the individuals. These organization will need to ensure that they require other parties (that collect data on their behalf) to obtain consent, to the extent consent is the basis for processing data.
- Interaction with the ePrivacy regime: The ICO notes that the GDPR interacts with ePrivacy laws and the ePrivacy Directive may be replaced by an ePrivacy Regulation. However, in the interim, the ICO points to its existing guidance on the UK implementation of the ePrivacy Directive. Under the current draft of the ePrivacy Regulation, the GDPR standard of consent will apply where consent is required for e-marketing, so organizations may wish to apply the GDPR standard as soon as possible, rather than operating in the grey area afforded by the ICO’s existing guidance.
- Combining consent with other grounds for data processing: The ICO discourages organizations from processing personal data based on an individual’s consent if the controller has another legal basis available and would still process the personal data using that other ground if the data subject withdrew consent. The ICO explains that, in this case, the ability to withdraw the consent is deceptive. Thus, organizations may wish to avoid relying on a “belt and suspenders” approach to establishing a legal basis for processing personal data, unless the organization very clearly explains that data processing may continue even if the individual withdraws consent.
- Conditional consent: Although the ICO does not recommend reliance on conditional consent – where an organization makes its performance of a contract conditional on a data subject granting consent to processing that is not required for the performance of the contract – the ICO acknowledges that, in some limited circumstances, conditional consent may be justifiable. For instance, if there is minimal privacy impact, if the controller would stop the processing if the consent was not given, and if there is no other ground other than consent that supports the processing. Companies relying on conditional consent take a risk that consent could be challenged as invalid because it is not “freely given.”
- Implied consent: Under the ICO guidance, the concept of implied consent has continued vitality. The ICO explains that an individual can provide consent by “a clear affirmative act,” rather than through a written or verbal statement explicitly acknowledging consent. If a controller relies on implied consent, the data subject must understand that his/her actions constitute consent to a specific and obvious purpose. This requirement suggests that companies may be limited in their ability to treat conduct as implied consent. By contrast, where the processing involves sensitive data, and “explicit consent” is required, the statement of consent must be expressly confirmed in words relating to the specific processing activities.
- Duration of consent: The guidance suggests that consent is likely to “degrade” over time, but the speed of degradation depends on context. The ICO recommends generally that organizations seek renewed consent every other year, unless a longer period is justified. The ICO does not provide any examples of cases where a longer period would be justified. This guidance may require controllers to specify the intended duration of a consent in the consent wording.
- Recordkeeping: The recordkeeping requirement for consent is onerous. The ICO recommends that controller should keep a copy of the notice (dated) to which the individual consented, as well as the record of the consent action or acknowledgement. The ICO further suggests cryptographically hashing to preserve support the integrity of the consent records.
- Withdrawal of consent: The ICO encourages controllers to publicize individuals’ right to withdraw consent through website privacy preference dashboards and through opt-out mechanisms in all communications with the individuals.
- Checklist: Finally, the ICO includes a short checklist to help controllers confirm that their consent wording and mechanisms comply with the GDPR.
The GDPR will require organizations to reevaluate their approach to obtaining consent and using consent as a basis for data processing. For example, organizations may need to unbundle any broad catch-all consents. In some cases, organizations will seek to reevaluate their data collection practices to minimize the types of data they collect and the purposes of processing to avoid the need to rely on consent. Organizations may also employ anonymization to de-identify data before further processing (e.g., for secondary purposes) to avoid the need for consent. Finally, where organizations do not have a touch point with individuals, they may seek to update their agreements with third parties to require them to obtain consent and to seek appropriate indemnification.