GDPR – Do I Need Consent to Process Personal Data?

If you are handling personal data of EU or UK citizens, you will need some justification, or legal basis, in order to do so.  Under the GDPR, consent is a possible option; however, valid consent can be difficult to obtain.

What is meant by consent?

Under the GDPR, for consent to be valid, it must be freely-given, specific, informed and revocable.  Individuals (i.e. visitors to/users of your website, customers or potential customers and your employees) must have real choice and control over their personal data and how it is used.

Side note: the GDPR may require explicit consent if you are handling any special categories of data or if your processing involves any cross-border transfers of the data based on consent.  See https://www.cooley.com/services/practice/cyber-data-privacy/gdpr for further information.

How do I get consent?

The following is a checklist of what needs to be included to ensure your consent mechanism meets the new requirements:

• Tick boxes: consent requires a positive opt-in action so no pre-ticked boxes allowed; you must use unticked opt-in boxes or similar which require some positive action by the user
• No precondition of service: consent cannot be a precondition of signing up to receive a service and it can’t be bundled together with consent for other terms and conditions
• Specific: the consent must specifically relate to what you are using the data for. Strictly speaking, this means getting separate consents for each type of processing
• Informative: individuals need to know who the “controller” of their personal data is, what’s going to happen to their data and their rights in respect of it. They must also be told that they have the right to (easily) withdraw consent at any time

Once I have consent can I do anything I like with the personal data?

You can only process data for the purposes you have identified to the user – and to which he/she has consented.  So, if you have identified all the purposes for which you are processing the data, then yes: you just need to ensure that all uses are listed and consent has been obtained for each of the different types of processing.

Warning: individuals must be able to withdraw consent at any time.  What this means in practice is that not only do you need to tell individuals that they have this right and how to do it (simply providing an email address/contact details is fine) but you also need to be able to act on it and implement any such requests.

What about employees?

Consent can only be relied upon in exceptional circumstances to process personal data in the context of employment due to the imbalance of power in the employer/employee relationship. Please see GDPR – A Guide for Employers for further information.

What about children?

The GDPR includes additional rules and protections for children: a child under the age of 16 is assumed as not being able to give consent him/herself.  So, if you are offering online services to a child, consent will be required from the person holding “parental responsibility”.  Each EU country and the UK can set its own age under 16 as long as it is not below 13. You will therefore need to check the rules in your key markets – plus any additional rules and codes of conduct which may be relevant to you in this context (e.g. advertising).

Conclusion

While consent may be the obvious or, perhaps, the seemingly easiest option to justify your processing of EU and UK personal data, the additional requirements that need to be satisfied under the GDPR may mean it is not the best one for you or your business. Remember that consent is only one of the lawful grounds for processing personal data, there are alternatives so if valid consent is looking difficult to obtain in your business model, you might want to consider other options.