Consent under the GDPR looks like really complex and complicated issue. Let’s see what we can already clearly explain.
To achieve all stated requirements, you need to structure the consent granularly and give data subjects some options. Consent must be “specific”. Blanket consent without stating the exact purpose is not valid, but the GDPR does not explain this term further. Luckily, here we can lean on the clarification by the WP29, (Opinion 15/2011) stating that in order to be specific, consent must be intelligible. Consent cannot apply to an open-ended set of processing activities, scope and consequences of which must be clearly and precisely explained by the controller in advance.
There are two more terms which need attention. “Unambiguous” consent and “Explicit” consent. There was a passionate debate between Commission, Council and Parliament just to achieve following compromise: “The way in which consent is to be given by data subjects remains “unambiguous” for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.” Both rely on affirmative action, whether explicitly given or inferred through conduct and a subsequent right of withdrawal.
When processing sensitive personal data, you need “explicit” consent that requires at least opt-in tick box or clear declaratory statement. On the other hand, processing personal data needs unambiguous consent model, where a prominent notice, together with an affirmative action may be sufficient, without the need for an opt-in box.
Example: Consider the patient who is ill and tells the doctor a lot of information about his illness and ailment he suffers, and doctor takes notes about it. It is doubtful, if the consent is explicit, as there was no tick, sign or anything else indicating the agreement to the processing personal data by patient for the purposes. And still it was given through and affirmative act by means of a statement or conduct which clearly indicates in this context the data subject’s acceptance.
The GDPR specifically validates essentially any commonly used method of collecting consent. For example, verbally provided consent, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates the acceptance of the proposed processing of data. Implied consent will surely not be appropriate in all circumstances, from all audiences and for any data. Sometimes the context of collecting the data will suggest the need of opt-in style consent.
The GDPR excludes the silence, inactivity or pre-ticked boxes from being valid consent explicitly. Organisations should ensure that they do not rely on silence or inactivity as consent in respect to their obligation to demonstrate that it has obtained valid consent.
Although the GDPR is the first time when the right to withdraw is expressly stated, it is one of the substantial features of consent by its nature. The GDPR requires the withdrawal of consent to be as easy as giving it. The withdrawal of consent does not affect the lawfulness of processing based on consent. And don’t forget that the data subject must by informed of his right.
At last, if you already have collected consent it is not necessary to collect it second time in consequence of the GDPR, provided that the initial consent was compliant with GDPR. However, we do not assume many organizations are informed of the right to withdraw, while collecting consent, for example.
What we already know for sure, consent management will require new approach along with new technological solutions. Check out how consent management with midPoint will look like.