The basic concept of consent, and its main role as one potential lawful basis (or condition) for processing, is not new. The definition and role of consent remains similar to that under the Data Protection Act 1998 (the 1998 Act). However, the GDPR builds on the 1998 Act standard of consent in several areas. It contains much more detail and codifies existing European guidance and good practice.
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for consent mechanisms. You need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent.
The changes reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.
What’s different about the standard of consent?
The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition, but adds some detail on how consent must be given:
DP Directive definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
So the key elements of the consent definition remain – it must be freely given, specific, informed, and there must be an indication signifying agreement. However, the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action.
However, this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements. In particular, Article 7 sets out various conditions for consent, with specific provisions on keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract. Recitals 32, 42 and 43 also give more specific guidance on the various elements of the definition.
In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.
Consent can also legitimise processing that has been restricted. Explicit consent can legitimise automated decision-making, including profiling.
If you rely on consent, this will also affect individuals’ rights. People will generally have stronger rights when processing is based on consent – for example, the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability.
The GDPR also brings in new accountability and transparency requirements. In particular, you must now inform people upfront about your lawful basis for processing their personal data. You need to tell people clearly what you do with their consent, and whether you do anything else on a different lawful basis. If you know you will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, you need to tell them this from the start.
You need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:
Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
Granular: give distinct options to consent separately to different types of processing wherever appropriate.
Named: name your organisation and any other third party controllers who will be relying on the consent. If you are relying on consent obtained by someone else, ensure that you were specifically named in the consent request – categories of third-party organisations will not be enough to give valid consent under the GDPR.
Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you need to have simple and effective withdrawal mechanisms in place.
No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible.
You are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you need to be confident that your 1998 Act consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily, and tell people they have the right to withdraw consent (if you haven’t already done so).
On the other hand, if existing 1998 Act consents don’t meet the GDPR’s high standards or are poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing, or stop the processing. If you decide to rely on a different lawful basis, you need to ensure that your continued processing is still fair and transparent. This means you need to take all reasonable steps to tell individuals that you are relying on a new lawful basis and explain what that basis is. You should also minimise their loss of control over the data by giving them the chance to opt out if possible.
Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.