The European Union’s General Data Protection Regulation (the “GDPR”) goes into effect in a little over fourteen months and from a quick glance at our bullet points analysis you can see there is a lot to consider. One crucial aspect you need to be thinking about now is how your organization collects and manages consents from individuals for processing their personal information. Without a strong understanding of what valid consent means under the GDPR, before long you may find yourself holding valuable data that you are not able to process as you need to for your business.
To this end, the Information Commissioner’s Office (the “ICO”), the data protection authority for the UK, last week published a consultation draft of its GDPR consent guidance. This is a practical resource meant to help organizations get to grips with the GDPR’s consent requirements and align their internal procedures and processing activities, as well as their customer-facing websites, marketing materials, and product infrastructure. Although the UK ICO cannot speak for the other EU data protection authorities, they have a good track record of producing practical guidance set out in accessible language, which makes the ICO website a good first stop for US companies seeking to understand their obligations in the EU. We encourage you to review this helpful resource and provide feedback to the ICO using their comment form by March 31. We also offer this high-level snapshot of a few key points:
The importance of consent.
As there are a limited number of lawful bases under the GDPR upon which organizations may process data collected from individuals. Each is important. In addition to consent, the other bases for processing ordinary (non-sensitive) personal data allow processing when it is necessary for (i) performing a contract with the data subject (or performing pre-contractual steps), (ii) complying with a legal obligation, (iii) protecting the vital interests of the data subject or someone else, (iv) performing a public task, or (v) genuine and legitimate interests (including commercial benefit) of a private-sector organization, provided those interests are not outweighed by the data subject’s rights and interests.
Consent can be a powerful basis for processing since it puts individuals in control and builds customer trust and your organization’s reputation. It also can legitimize certain highly scrutinized forms of processing, such as profiling, overseas transfers by private-sector organizations in the absence of adequate safeguards, and the the use of special category data under certain circumstances. On the other hand, using consent as the basis for processing results in individuals having some rights that they would not have when processing is done on other bases, as highlighted in the draft Guidance. It is also vital to recognize that consent is always revocable – so if you would need to process the personal data even if the data subject revoked her consent, you should not be using consent as the basis for the processing.
Of course, should you decide to rely on consent, failing to meet the GDPR’s stringent requirements for valid consent can also have huge downsides. For example, obtaining misleading or defective consent can destroy trust, undermine your reputation, and under GDPR could potentially implicate fines as high as €20 million or 4% of your group’s total world annual turnover, whichever is greater.
Doing consent right, now and later.
The GDPR’s definition of consent retains key elements from the old definition under the Data Protection Directive – namely that it must be freely given, specific, informed, and accompanied by an indication signifying agreement – and then builds on these tenets by adding that the indication must be unambiguous and involve a clear affirmative action. The ICO’s guidance helps to flesh out the new and older elements that will be retained:
- Individuals must have clear granular choices that permit them to provide (or withhold) consent for distinct processing activities. The consent must clearly describe the purposes of the processing and the types of processing activities.
- Consent must utilize active opt-in features with equally conspicuous and prominent binary choices (e.g., active opt-in boxes or user-directed profile settings). Individuals need to make a positive action to opt in. Never rely on silence, inactivity, default settings, pre-ticked boxes or your general T&C’s.
- Consent requests must be unbundled from other terms and conditions and should never be a precondition of signing up for or enjoying the benefits of your services or products. The consent request should be concise and as easy to read and understand as possible. (If you really need to use the personal data to perform the service or provide the product, then consent is not the right basis – you should rely on necessity of the processing to perform a contract, or possibly legitimate interests, instead.)
- All organizations (including you) relying on the consent must be specifically named, so avoid using categories when describing your third party service providers. (This is likely to be a challenge for many companies who need to retain flexibility to change their service providers, and it would be good to see the ICO’s Guidance address this explicitly.)
- Records of consent must be maintained and should be descriptive, including details around the type and nature of consent, what individuals were told, and when and how they consented.
- Data subjects must be informed they have the right to withdraw consent and doing so should be quick and easy. You need to start building out simple mechanisms for your websites, platforms and applications to automate and simplify withdrawal mechanisms.
- The time horizon for consent is undefined and depends on context. The scope and nature of consents previously obtained (and your consent practices generally) should be reviewed and refreshed as needed and appropriate.
- There can be no substantial imbalance of power between the organization requesting consent and the data subject and therefore it will be difficult for public authorities and employers to rely on consent under the GDPR.
It is important to note that organizations do not have to seek fresh consents for data they have already collected provided the consent obtained meets GDPR standards given the nature of the data and the processing to occur. It is therefore important to check your processes and records carefully to be sure existing consents satisfy GDPR, and to ensure that your consent practices are GDPR-compliant in advance of next year to avoid having to “repaper” consents that continue to roll in. Check out the useful checklist on the last two pages of the draft guidance.
Other practical guidance for writing a consent request.
The ICO’s guidance tries to be business- and action-oriented and tries to include miscellaneous tips for writing your consent request. For example:
- Use clear, specific, and straightforward language – avoid legal jargon!
- Anticipate your audience and consider using age-verification and parental authorization features if you expect children might be asked to provide you with consent.
- Pay attention to all places across your websites, platforms, and products where consent is requested and make sure your language and methods are consistent.
The ICO’s guidance will be a valuable resource for years to come as the ICO intends to revise the resource regularly in response to feedback from industry stakeholders, to take account of future guidelines issued by European authorities, and to reflect experience with the GDPR once it goes into effect in May 2018. Help with this effort by sending your comments to the ICO using this form by the end of this open comment period on March 31. The ICO has indicated it plans to publish its revised guidance in May 2017.