One of the most striking changes to EU privacy law under the EU’s General Data Protection Regulation (which goes into effect May 25, 2018) is the very strict approach to user consent. For many years, companies operating in the EU (as elsewhere) have relied heavily on user consent to achieve compliance with the relevant data protection and direct marketing laws. When the GDPR was first published, it became clear that the EU intended to crack down on the use of consent in many common situations where the EU felt that individuals were not being treated fairly.
Draft guidance published on Dec. 18 by a key advisory body representing the EU's national data protection authorities , the Article 29 Working Party (WP29), has confirmed that regulators will approach consent strictly. The guidance is worth reading in full. Some highlights:
- Consent cannot be bundled. Instead, consents must be granular. You will need a separate consent for each purpose for which data will be processed. WP29 notes that this could easily lead to “click fatigue” (implicitly casting doubt on the validity of the consent) when individuals are routinely presented with a long set of check boxes, but WP29 says that this is a problem for data controllers to solve.
- Consent to “unnecessary” uses of personal data cannot be used as a quid pro quo for access to a service. This confirms our previous suggestion that the GDPR invalidates the prevalent business model of providing free services (such as a free app) in exchange for access to personal data that is used for behavioral advertising or other marketing purposes.
- The “explicit” consent needed for processing sensitive personal data requires something even stronger than the already-stringent standard for “normal” consent under the GDPR. The guidance suggests several mechanisms that primarily involve an extra confirmation step by the user, such as clicking on an opt-in box and then responding affirmatively to a text or e-mail to confirm the consent. It’s not clear that users will welcome the extra steps and delay, but WP29 maintains that there needs to be something “more” to reach the level of “explicit” consent.
- Data controllers must identify their legal bases for processing in advance and cannot “swap” bases if the initial basis for processing proves defective. In other words, controllers cannot have a “backup” basis for a given processing operation, even when a given processing activities could be done on one of a number of bases, such as necessity for contract performance, legitimate interest, or consent.
The draft guidance is open for public comment until January 23, 2018.