The General Data Protection Regulation (GDPR) is due to come into force in just over a year’s time. The Information Commissioner’s Office (ICO) has recently issued its much-anticipated draft guidance on consent under the GDPR for public consultation, which states, “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data. When consent is used properly, it helps you build trust and enhance your reputation.”
The ICO has made it clear that it cannot give a definitive view on how consent will be handled in the context of direct marketing, because this will be addressed under the upcoming e-Privacy Regulation. It is, however, quite easy to see in which direction the ICO is heading. We expect to see an update on this shortly.
Of course, the concept of consent is not a new one in the world of data protection, but the bar for what constitutes consent is set far higher, and made much clearer, in the GDPR. For example:
- Organisations cannot bury consents within terms and conditions and privacy policies. The consent request must be identified clearly up front. A consent cannot be a condition of a contract unless it is necessary for the service.
- Organisations will need users to take an affirmative step to demonstrate their consent. Opt-outs, or having to untick a pre-ticked opt-in box, are clearly not acceptable. In addition, options should be presented with equal prominence, rather than seeking to exploit individuals’ natural tendency to choose the most prominent option.
- Consent for different forms of processing and different purposes must be separated out. This requirement conflicts with perhaps a more overriding requirement to keep privacy notices intelligible and easily accessible. The ICO accepts this, and suggests that the solution is to look for an alternative legal basis for your processing (such as performance of a contract, legitimate interest or, a public purpose), or accept that you may not be able to ask for all consents in one go.
- If any third parties rely on consent, they must be named. Common, although by no means advisable, practice is to rely on a vague reference to third parties to which a data controller may pass data. That is categorically not going to work under GDPR if you expect to rely on historic consents. This will have a huge impact on businesses that make their money by passing personal data to as yet unknown (or rapidly changing) third-party marketing companies. It also makes us wonder what will happen to companies when they sell a business that relies on a database that is processed on the basis of consent. Can that purchaser rely on a legal basis other than consent (such as performance of a contract or legitimate interest)? If not, what happens to the value of the personal data within that database as an asset? Due diligence will be key here.
- Consent must be as easy to withdraw as to give. What this means in practice remains to be seen, but if an individual gave consent by clicking a button, a mirror image route will be the best way to satisfy that. A withdrawal route that enables the data controller to process those withdrawals at a later date won’t suffice. Equally, however, if consent was given by written letter, a written letter route will need to be created – not all individuals have access to email and the Internet.
- Consent will not be freely given if there is an imbalance in the relationship between the individual and the data controller. Public authorities and employers may find it difficult to rely on consent, and should review their processing to determine whether there is an alternative legal basis.
- Consent should be seen as an ongoing matter. For example, businesses will need to assess how long a consent is valid. If consent clearly only related to a one-off interaction, is it reasonable to continue processing? In the absence of any other reasonable basis for determining the right period, the ICO has recommended that consents should be refreshed every two years. Your business may need to consider its strategy for conducting these refresh exercises efficiently, not too obtrusively from the individual’s perspective and in a way that minimises impact on the business.
Organisations should review their databases to determine whether the consent provided under the current Data Protection Act (DPA) regime is sufficient under the GDPR. If it is, there is no need to obtain fresh consent. We would be surprised if many databases meet the requirements of the GDPR consent regime. The ICO has provided a useful checklist within its guidance, which should enable you to run a high-level check of your current consents.
As part of any checks, you are encouraged to check for an alternative legal basis to consent that could be more appropriate. Often, businesses plump for consent where an alternative legal approach would have been more appropriate – and that can be what trips you up and causes mistrust from consumers.
For detailed analysis of consent under the DPA and under the GDPR, see our blogs, Obtaining valid consent under the Data Protection Act 1998 and Obtaining valid consent under the GDPR.
If you have any questions about the implications of the GDPR, or the use of consent-based processing, please don’t hesitate to contact Pritchetts for advice and support.