If you are handling personal data of EU citizens, you will need some justification in order to do so. Under the new rules, the basic concept of consent has not changed, nor has its role as a lawful basis for processing personal data: consent remains a possible option. However, the GDPR adds new language – and requirements – to the existing definition of consent, making valid consent more difficult to obtain.
What is meant by consent?
Under GDPR, for consent to be valid, it must be freely-given, specific, informed and revocable. The new rules emphasize the need for individuals (i.e. your audience, users of your website and customers or potential customers) to have real choice and control over their personal data and how it is used.
Side note: the GDPR expressly requires explicit consent if you are handling any special categories of data (“sensitive personal data” in the existing laws) or if your processing involves any cross-border transfers of the data. See https://www.cooley.com/services/practice/privacy-and-data-protection/gdpr for further information.
How do I get consent?
The following is a checklist of what needs to be included to ensure your consent mechanism meets the new requirements:
- Tick boxes: consent requires a positive opt-in action so no pre-ticked boxes allowed; you must use unticked opt-in boxes or similar which require some positive action by the user
- No precondition of service: consent cannot be a precondition of signing up to receive a service (unless it is absolutely necessary for that service) and it can’t be bundled together with consent for other terms and conditions
- Specific: the consent must specifically relate to what you are using the data for. Strictly speaking, this means getting separate consents for each type of processing
- Informative: individuals need to know who the “controller” of their personal data is – and also that they have a right to (easily) withdraw consent at any time
Once I have consent can I do anything I like with the personal data?
You can only process data for the purposes you have identified to the user – and to which he/she has consented. So, if you have identified all the purposes for which you are processing the data, then yes: you just need to ensure that all uses are listed and consent has been obtained for each of the different types of processing.
Warning: individuals have increased rights under the new rules and must be able to withdraw consent at any time. What this means in practice is that not only do you need to tell individuals that they have this right and how to do it (simply providing an email address/contact details is fine) but you also need to be able to act on it and implement any such requests.
What about employees?
Consent is often used as a lawful means for processing personal data in the context of employment: employers will often include terms in the employment contract to obtain consent. However, the GDPR casts doubt on whether employee consent can ever be valid in this context, due to the imbalance of power in the employer/employee relationship. Please see GDPR – A Guide for Employers for further information.
What about children?
The GDPR includes additional rules and ultimately protection for children: a child under the age of 16 is assumed as not being able to give consent him/herself. So, if you are offering online services to a child, consent will be required from the person holding “parental responsibility”. Each EU country can set its own age under 16 as long as it is not below 13 (worth noting the original draft stated 13 as the defined age for all, which would have helpfully put the EU in line with the age set under COPPA in the US but some countries objected hence the 13-16 range now permitted). You will therefore need to check the rules in your key markets – plus any additional rules and codes of conduct which may be relevant to you in this context (e.g. advertising).
While consent may be the obvious or, perhaps, the easiest option to justify your processing of EU personal data, the additional requirements that need to be satisfied under the GDPR may mean it is no longer the best one for you/your business. Remember though, consent is only one of the lawful grounds for processing personal data, there are alternatives, so if valid consent is looking difficult to obtain in your business model, you might want to consider other options.