Press "Enter" to skip to content

What the GDPR does – and doesn’t – say about consent

Meme courtesy of Jenny Lynn (@JennyL_RM)
You may have noticed that the General Data Protection Regulation is rather in the news lately, and quite right too considering there is only a year left to prepare for the most stringent and wide-reaching privacy law the EU has yet seen. Unfortunately however, in the rush to jump onto the latest marketing bandwagon, a lot of misleading and inaccurate information posing as “advice” in order to promote products and services is flourishing and appears to be drowning out more measured and expert commentary. Having seen a worrying number of articles, advertisements, blog posts and comments all giving the same wrong message about GDPR’s “consent” requirements, I was compelled to provide a layperson’s explanation of what GDPR really says on the subject.

So, let me start by saying GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA.

and again, so we’re completely clear – GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA!!!

So what does GDPR say about consent? It says that to be allowed to process (i.e. do anything at all involving a computer or organised manual files) personal data, you must have at least one “legal basis” for doing do. Let’s call the list of legal basis “Good Reasons” for now, to keep the language friendly.

The Good Reasons are:

  • when you have consent to process personal data
  • when there is a contract between you and the individual (“data subject”) or between the individual and someone else which requires you to process their personal data in order to fulfil its terms. This also applies to any processing that is needed in order to prepare or negotiate entering into a contract. Example: buying a house
  • When there’s a law or legal obligation (not including a contract) that you can only comply with by processing personal data – example, accident reports for health & safety records
  • when someone’s vital interests are at stake unless personal data is processed (usually only applicable to life-or-death situations – e.g. the emergency services having a list of employee names to identify survivors after a building collapse)
  • In the public interest or when acting under official public authority – such as political parties being allowed to have a copy of the electoral register (providing they don’t take the mickey in their uses of it).
  • When personal data needs to be processed for an activity which is in the “legitimate interests” of the organisation (“Data Controller”) or the individual.
  • Now, just because consent is listed first does not mean that it is the most preferable Good Reason, the most important or the default option. It is none of those things – in fact, when considering which Good Reason applies to processing, the other options should be tested first. If you picked consent because it was top of the list and consent was later withdrawn, but you realised there was a legal obligation to continue to process the data, you would be in a pickle – either you’d be in breach of privacy law (continuing to process when consent has been withdrawn) or in breach of the other legal obligation.

    Please note that opting for “legitimate interests” as the Good Reason is not a way of dodging around the prospect that consent may be withdrawn or refused, as there is an absolute right for the individual to object to the processing of their personal data when “legitimate interests” is the Good Reason for processing. All legitimate interests does is save you the effort of having to obtain and demonstrate specific, informed and freely-given consent before you can have or start using the data.

    When it comes to special categories of personal data (formerly known as “sensitive personal data”), there is another set of legal basis (we’ll call these Damn Good reasons) which must also be met for the processing to be allowed. In fact, GDPR says that unless one of these Damn Good Reasons is applicable, then you’re not allowed to process special categories of personal data at all.

    The Damn Good Reasons are:

  • When you have explicit consent
  • OR

  • When employment law, social protection law or social security law says you have to do something that requires the processing of special categories of personal data
  • When the processing is required in someone’s vital interests but the individual is incapable of giving consent
  • When the processing is necessary and carried out by a trade union, philosophical or religious non-profit organisation to administer their membership operations
  • When the individual has already and deliberately made the data public
  • When the processing is necessary to defend legal rights, legal claims or for the justice system to function
  • When the processing is necessary in the public interest (just like in the Good Reasons list)
  • When the processing is necessary in order to provide health care, treatment and management of health care services
  • When public health may be at risk if the processing isn’t carried out
  • When the processing is necessary for archiving, historical or scientific research, or statistical analysis
  • Again, although consent tops the list it does not mean that it should be the first choice of Damn Good Reason. As with the other list, it is wise to consider first whether there are other Damn Good Reasons that apply and only choose consent where there are no alternatives.

    There is some confusion at the moment about the difference between “consent” (Good Reasons) and “explicit consent” (Damn Good Reasons), especially as GDPR says that for any consent to be valid, it must be “unambiguous”. I’m going to leave the dissection of that to greater minds than mine (see refs). However, I will say that when in doubt, go for whichever approach gives you the most solid evidence.

    So that’s what GDPR says about whether and when you need consent.

    HOWEVER – another law (the Privacy & Electronic Communications Regulations, aka “PECR”) says that you must have explicit prior consent before sending any unsolicited direct marketing by email. This is not the same as the Good Reason/Damn Good Reason “[explicit] consent for processing” but the separate requirements are often confused. It may be in your organisation’s legitimate interests to collect, store and analyse contact info but if you are emailing unsolicited direct marketing messages you will also need to have obtained consent for email marketing from the recipient.

    A few words on mechanisms vs outcomes (if you’re still reading, congratulate yourself on your fortitude!)

    ‘Consent’ is an outcome – you and the individual have achieved a defined, mutually-understood, relationship in which you as a Data Controller can process their personal data for a particular purpose and in a particular way. This outcome needs to be an ongoing state of affairs. If the individual later decides to change the relationship and no longer allow you to process their data then you no longer have consent (and must stop and current or future processing).

    Tickboxes, signatures and “click here” buttons are mechanisms for obtaining consent. However, if the agreement you have obtained using this mechanism is not specific, informed and freely-given then you do not have valid consent under data protection law.

    Transaction logs, screen prints, signed documents and call recordings are evidence for the process of obtaining consent. These are only as good as the outcome that the process supports. If the individual has been misled, or they dispute that the processing you are doing is what they actually agreed to, or the processing purpose + Good/Damn Good Reason was not made clear to them, or they have simply changed their mind then you do not have valid consent even if you have evidence that consent was asked/supplied at one point in time. Consent is not a fire-and-forget activity, and consent obtained once is not set in stone forever.

    So in order to be able to get and keep valid consent you need to have good processes for obtaining, maintaining and verifying the outcome, ie. the relationship between you and the individual. This means careful attention to training, customer service and content of privacy notices.

      So, in summary (well done for getting this far!)

    GDPR does not say “all processing requires consent”- and anyone who says that it does, clearly does not know what they are talking about. Ignore them.
    GDPR says that sometimes you will need to get consent and when that is the case; it sets out the standards that you must meet.
    Consent for unsolicited electronic marketing as required by PECR is not the same thing as consent for processing of data described in GDPR.

    I hope that clears it all up.

    More about consent under GDPR if that is the Good Reason/Damn Good Reason you need to use:

    https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/23–guide-to-the-gdpr–consent.pdf?la=en
    https://www.taylorwessing.com/globaldatahub/article-understanding-consent-under-the-gdpr.html
    http://privacylawblog.fieldfisher.com/2016/the-ambiguity-of-unambiguous-consent-under-the-gdpr/
    https://www.whitecase.com/publications/article/chapter-8-consent-unlocking-eu-general-data-protection-regulation

    25 Comments

    1. Miss Info Geek Miss Info Geek 2017-05-31

      It’s been pointed out to me that I haven’t mentioned the “soft opt-in” that PECR allows. I’d deliberately left it out in order to keep the post brief but in case anyone is interested; PECR currently allows email marketing to be sent when the recipient’s contact details have been obtained during the sale (or negotiations for a sale) of goods or services. It’s polite good practice to offer an immediate opt out in case people just don’t want any marketing at all, but in any case; every subsequent marketing message must also have a free mechanism to unsubscribe from future email marketing. We don’t know yet whether the final version of PECR 2.0 (the ePrivacy whatsit) will keep the soft opt-in.

    2. Valerie O'Neill Valerie O'Neill 2017-06-01

      Good piece, but just a few points:
      You did not mention that the legitimate interest basis cannot be claimed if it overrides the interests or fundamental rights of the data subject. The GDPR A.21 also makes clear that an individual’s objection to processing can be delivered by “automated means”.
      Also, the PECR is very clear (in A5.3 & R.66) that consent must be obtained before terminal (e.g. browser) storage is used.
      The requirement for consent is very clearly described in the GDPR, while the public and legitimate interest bases are not. It will be a lot less risky to base processing on properly established (and managed, as you say) consent than those last 2 bases.
      The PECR does not mention a “soft opt in”, The “implied consent” interpretation was from guidance given in 2012 by the ICO, derived from earlier lobbyist input into the ePrivacy process.

      • Robert Madge Robert Madge 2017-07-09

        Valerie, you are of course quite correct that a legitimate interest of the controller is not alone a lawful basis for processing, since it has to be balanced against the interests and fundamental rights and freedoms of the data subject. However, I think that in practice it is less “risky” to process based on the legitimate interest provision than on consent.

        It is extremely easy for a consent to be invalidated later and many ways to fall foul of the law. A legitimate interest basis, if supported by diligent work on the balance of interests, allows far fewer risks of clear-cut challenges. Furthermore, the justification for the balance calculation only needs to be provided following a challenge by a data subject (or potentially by a DPA, of course). Since the balancing process includes subjective judgement, I think that even a negative ruling is unlikely to lead to an administrative fine. Since the balance of interest argument can depend on the circumstances of a particular data subject, if as single person makes a challenge, the controller may be simply able to stop processing for that data subject and close the case.

        Regarding the PERC “soft opt in”, Art 16.2 of the proposed ePrivacy regulation does include this. Indeed, direct marketing is recognised by the GDPR as a legitimate interest (Recital 47), but it is difficult to see how communications can be sent (in most cases) without consent as required by the PERC.

        • Robert Madge Robert Madge 2017-07-09

          Correction PERC -> PECR

          • Valerie O'Neill Valerie O'Neill 2017-07-10

            Robert, the GDPR says that information about the legitimate interests of the controller must be provided to the data subject when the data is collected – A13.1(d). It also has to be made available even if the subject did not provide the information A14..2(b).

            The need for fair and transparent processing implies that this would necessarily include justification of the balance between the subject’s andthe controller’s rights.

            The right to object must also be explicitly brought to the attention of the subject at the time of the first communication A21.4, and this can be exercised through “automated means using technical specifications” A21.5

            Many companies will consider consent to be a less risky basis for processing, and far better because of the opportunity to get affirmative buy-in from a potential customer.

            • Robert Madge Robert Madge 2017-07-10

              Valerie, I agree that the controller must inform the data subject of the legitimate interests it is pursuing, as you say. However, the provisions do not specify that the balance of interest algorithm has to be provided.

              It is debatable whether the principles of fair and transparent processing (as mentioned in Recital 60) would require this explanation, in addition to the requirements specified in Articles 13 & 14. There is already a long list of information that has to be provided to the data subject and this could be considered a level of detail which would simply overwhelm, rather than inform the data subject.

              This issue was debated in the legislative process leading to the approval and publication of the GDPR. The LIBE Committee of the European Parliament wished to include in these articles the controller’s reasons for believing that its
              interests are not overridden by the data subject’s interests or fundamental rights and
              freedoms. The Article 29 Working Party supported this viewpoint. The amendment proposed by the EU Parliament to this effect was not agreed for the final text and so the omission is clearly not accidental. Therefore, I think that it would be difficult to argue legally that the controller has an obligation to provide this information (until it receives a objection from a data subject).

              I totally agree about the need to highlight the right to object. Indeed, in most contexts the simplest route for a controller to follow is to provide an ‘opt-out’ check box on each communication, which provides the easiest possible right to object. Once the data subject checks this box then processing would stop and the controller would be off the hook for explaining how it calculated the balance of interests.

              It’s yet to be seen how much controllers will opt for consent or a legitimate interest assertion. I personally would prefer a consent-based approach, if this can be done in a way that truly empowers individuals, but I continue to believe that most companies will see a legitimate interest basis as the least risky. If a consent process is later judged invalid, it will invalidate processing of all data subjects done on this basis, whereas judgements on legitimate interest may well just be individual (both because challenges are likely to be individual and because the balancing algorithm may produce different results depending on the individual).

              The requirement for consent under the ePrivacy regulation may tip the balance. I also agree that forward-looking companies, wishing to establish the strongest relationships with the potential customers will aim for an affirmative buy-in.

            • Robert Madge Robert Madge 2017-07-10

              Valerie, I’ve just taken a look at your website – great work!

              Making consent workable is hugely valuable.

              I hope that you can make it along to the MyData conference at the end of August, in Helsinki: https://mydata2017.org/

              I’ve also published a pessimistic article about how consent is being undermined by legitimate interest at: https://medium.com/mydata/gdpr-data-portability-is-a-false-promise-af460d35a629

              I don’t think that we can ignore the move towards businesses using a ‘legitimate interest’ approach, but the more people are conscious of this the more we might be able to shift the balance.

            • Robert Madge Robert Madge 2017-07-11

              Valerie, the Direct Marketing Association has just launched its guidelines for the use of legitimate interest as the basis for GDPR lawful processing. See https://www.dpnetwork.org.uk/wp-content/uploads/2017/07/DPN-Guidance-A4-Publication.pdf

              Examples they give for the ‘transparency’ notice are:

              EX 1
              How do we use your personal information? [or similar heading as part of privacy notice]
              We may process your personal information for our legitimate business interests.
              e.g. fraud prevention/direct marketing/network and information systems security/data analytics/enhancing, modifying or improving our services/identifying usage trends/determining
              the effectiveness of promotional campaigns and advertising. [This section should highlight the areas where your business processes data for the purposes of its legitimate interests. Refer to Section [X] for examples of legitimate interests that your organisation may pursue.]
              Click here to learn more about what we mean by legitimate interests, and when we process your data for our legitimate interests.
              You have the right to object to this processing if you wish and if you wish to do so please click here

              EX 2
              We process personal information for certain legitimate business purposes, which include some or all of the following:
              • where the processing enables us to enhance, modify, personalise or otherwise improve our services / communications for the benefit of our customers
              • to identify and prevent fraud
              • to enhance the security of our network and
              information systems
              • to better understand how people interact
              with our websites
              • to provide postal communications which we
              think will be of interest to you
              • to determine the effectiveness of promotional
              campaigns and advertising.
              Whenever we process data for these purposes we will ensure that we always keep your Personal Data rights in high regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish to do so please click here. Please bear in mind that if you object this may affect our ability to carry out tasks above for your benefit.

              EX 3
              We may process your personal information for carefully considered and specific purposes which are in our interests and enable us to enhance the services we provide, but which we believe also benefit our customers. Click here to learn more about these interests and when we may process your information in this way.

              FURTHER INFORMATION EXAMPLE, ON CLICK-THROUGH
              “Legitimate Interests” means the interests of our company in conducting and managing our business [to enable us to give you the best service/products and the best and most secure experience].
              For example, we have an interest in making sure our marketing is relevant for you, so we may process your information to send you marketing that is tailored to your interests.
              It can also apply to processing that is in your interests as well.
              For example, we may process your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
              When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
              [Insert optional table, in which organisations may wish to include further detail]
              e.g. The table below sets out further detail on the ways we process your data for our legitimate interests. If you have any concerns about the processing below, you have the right to object to processing that is based on our legitimate interests. For more information on your rights, please see “Your Rights” section below
              – – –
              As you can see, they are not proposing that the balance of interests calculation should be presented at this stage of the interaction with data subjects.

              PS: Ping me by LinkedIn or Twitter for a direct conversation. LinkedIn: robert-madge-1126721; Twitter: @robmadge

            • Robert Madge Robert Madge 2017-07-11

              Sorry, I wrote in my last post here the Direct Marketing Association, when I meant to write the Data Protection Network – unfortunately I can’t go back and edit.

        • Robert Madge Robert Madge 2017-07-09

          I should have added, regarding the “soft opt-in”, that this is indeed currently applicable in the UK under the PERC (Privacy and Electronic Communications (EC Directive) Regulations 2003), Art 22.3 (derived from Art 13.1 of the EU Directive 2002/58/EC).

          ICO refers to this in its latest ruling on Honda emailing (https://ico.org.uk/action-weve-taken/enforcement/honda-motor-europe-limited/) but determined that Art 22.3 did not apply in this case.

    3. David Ward David Ward 2017-06-01

      Great article. One important sub-text that might be missed is that GDPR is NOT just a security issue. In fact security is likely to be the easiest part of GDPR for the business to comply with. Understanding the e2e lifecycle from obtaining the personal information, processing it, storing it, through to finally deleting it, being able to evidence all of that activity and making sure that all of those obscure business processes and systems that have not been looked at for a decade or more are in compliance with the Regulation will be a lot more challenging.

      • Miss Info Geek Miss Info Geek 2017-06-01

        I did go into that a bit in the GDPRubbish post the other day but yes, there is much more to be said on that subject and as loudly as possible

    4. climb climb 2017-08-10

      Pretty nicе post. I just stumbled upon y᧐ur webⅼog and wanted to mention that I’ve really loved surfing around your weblog posts.

      After all I’ll be ѕubscгiƄing to your fеed and
      I hope you write again soon!

    5. school school 2017-08-16

      Thank you for eveгy other informative website.
      Where else could I get tһat tyρe of informatіon wгitten in such a perfeϲt approach?
      I’ve a project that I’m simply now rսnning on, and I have been аt the glance out for
      such informatіon.

    6. URL URL 2017-08-18

      … [Trackback]

      […] Read More Infos here: missinfogeek.net/gdpr-consent/ […]

    7. orange orange 2017-08-20

      Hi, I think үour blog might be having ƅrowser compatibility issues.
      When I look at yօur blⲟg in Ιe, it looҝs fine but when opening in Internet Explorer, it has some overlapping.
      I just wanted to give you a quick heads up! Оtһer then thаt,
      amazing blog!

    8. Neil Neil 2017-08-23

      Hello,

      Great blog. Could you clarify something for me, please?

      You say: “If you picked consent because it was top of the list and consent was later withdrawn, but you realised there was a legal obligation to continue to process the data, you would be in a pickle – either you’d be in breach of privacy law (continuing to process when consent has been withdrawn) or in breach of the other legal obligation.”

      If there are six lawful bases/good reasons for processing and the data subject withdraws their consent but you have a legal obligation to continue processing, then surely you’re still processing the data lawfully under Article 6 point c of the GDPR (“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (c) processing is necessary for compliance with a legal obligation to which the controller is subject”), aren’t you?

      Doesn’t that ‘at least’ mean you can have more than one lawful basis for processing? Or is it a problem because you need to have identified the lawful basis/good reason for processing before you start?

      Thank you.

      • Miss Info Geek Miss Info Geek 2017-09-05

        Hi Neil, thanks for your kind words.
        The issue with falling back on another legal basis after consent is withdrawn is that the original processing was not; and the continued processing will no longer be “fair, lawful and transparent”. By giving the data subject (the illusion of) a choice, but then taking that choice away from them it is then very difficult to argue that the processing was ever fair in the first place. Certainly, you would be unlikely to be able to fall back on legitimate interests once consent is withdrawn/refused. If you have a legal obligation to process, then that should be the Article 6 basis, as consent will never be valid in that scenario (as it cannot be freely given). Hope that makes sense

    9. Howdy I am so thrilled I found your blog page, I really found you by error, while I
      was browsing on Askjeeve for something else, Regardless I am here now and would just like to say thanks for a tremendous post and a all round enjoyable blog (I also love the theme/design), I don’t have time to look over it all at the moment but I have bookmarked it and also added in your
      RSS feeds, so when I have time I will be back to read more,
      Please do keep up the superb jo.

    10. Marcus Bointon Marcus Bointon 2017-09-19

      I’ve been unimpressed by a Dun & Bradstreet doc about GDPR compliance of their marketing list selling service, alongside lists they have sold, presumably at great expense. Their basic premise is that they collect data “in a legitimate interest” (they maintain business directories), and they have obtained this data through public sources (i.e. scraping web sites, with no opportunity for any kind of consent, transparency, fairness or “informing”).

      They now consider this to be *their* proprietary data which they are free to do what they like with, including selling it to 3rd parties for marketing purposes. They claim they are entitled to do this on the basis of the “B2B marketing exemption”. They say that “individuals” are free to say that they wish to opt out – however, most do not even realise they are on these lists, nor do D&B provide any mechanism that third parties can use to transmit opt-out information back to them. They have clearly filtered the data to some extent (e.g. there are no public email provider addresses like gmail), but also some of the data is clearly very old – so much for “only storing the data for as long as it is necessary”.

      I think it’s all blatant abuse, wildly inconsistent, and hopefully it will come back to bite them. Ping me if you’d like a copy of the doc!

    11. […] with your services. First is that of consent. Not everything you do with data will require consent(9), but where it is required you are going to have to explain to users what data you are storing and […]

    Leave a Reply

    Your email address will not be published. Required fields are marked *