Comparing consent for processing personal data with consent for sexual activity.
Many laws, professional obligations, contracts and standards make reference to “consent” as a basis or requirement for something to be done. As I’ve mentioned before in an earlier post, “consent” is not a tick box or a signature, it is a state of relationship between two (or more) parties.
With this in mind, I’m going to write about something we’re almost all enthusiastic about (sexual activity) and something I’m [also] very enthusiastic about (data protection) in the hope that comparing the two will lead to greater understanding of how to manage consent as a legal basis for processing personal data, while keeping your attention for long enough to explain…
If you haven’t already seen this, it’s an excellent analogy between sexual activity and cups of tea – almost every point made can also be related to processing of data. The main difference here is that a cup of tea is unlikely to have a lasting and damaging effect, whereas both unwanted sexual contact and unfair/unlawful processing of personal data have the potential to cause serious harm to individuals if they occur.*
Before I get into the similarities though, there are two ways in which consent for getting sexy and processing data are totally different.
1. You don’t *have* to get consent for data processing (and shouldn’t try to, if consent is not the appropriate legal basis) but you always need to make sure that your sexual activities are with consenting adults only.
2. Consent for happy fun time can be implied or inferred (carefully). A long-married couple probably don’t need to have a detailed conversation about whether to take advantage of the kids being out that evening – a speculative look in the direction of the bedroom/kitchen/sofa and a twinkle of the eye in response is probably enough to communicate “shall we?” “Yes!” effectively.
No such parallel exists with data processing – either you have an unambiguous and specific response to “can we use your data in this way for this purpose” or you don’t have consent.
Ok, those are the significant differences. So, what are the similarities between consent for sexual activity and consent for data processing?
What it’s for: specifically
Consent is not “one size fits all”, if you consent to A (whether A is a cheeky snog behind the bike sheds, or being profiled on social media in order to be served targeted advertising), that does not mean you have also consented to B (which might be a hand up your shirt – or having your social media data sold to an insurance agency to calculate your risk of having a driving accident). It doesn’t even mean that you have consented to future As (snogs or profiling), especially if those future As might take you by surprise. It certainly doesn’t mean that having consented to A with one party, that anyone else can join in without having to ask permission separately (I’m looking at you, data brokers)
Whether you have it depends on how you get it:
Evidence of consent may be a legal requirement in some scenarios, but that evidence itself is not “consent”, just a record that something was asked for and an affirmation provided.
Obviously, if you have been misled or misinformed as to the activity, not given enough information to make an educated decision or if you don’t really have a choice, then no amount of tickboxes, signatures, “I agree” buttons or recordings will suffice. You have not consented.
Obtaining consent before/during sexual activity doesn’t usually involve either paper or electronic records, although there are apps which purport to fill that……er….niche (I’m in complete agreement with Girl On The Net’s views on these apps, by the way [warning also probably NSFW]). However, asking “would you like me to….” or “how about if we…..” rather than just diving in is the right thing to do and doesn’t have to kill the mood – in fact, that kind of conversation can be quite good fun…..
A positive response is an indication of consent. No response, or a negative response is very very unlikely to be consent. If someone is impaired in some way so they can’t a) understand the decision or b) communicate their decision then they cannot consent. Back off.
Obtaining consent for processing of personal data doesn’t necessarily need to involve tickboxes or signatures although as evidence of consent is a legal requirement, those are some mechanisms you might want to consider using.
What’s important in both circumstances is that you get consent before you start getting jiggy/processing data.
It doesn’t last forever:
Once you have consent, you can do whatever it is you have obtained agreement to do, for as long as that consent was agreed to last. “Yes” can turn to “No” at any time. If you don’t give the other party the freedom to change their mind, then you don’t have valid consent.
Regret does not retrospectively turn a ‘yes’ into a ‘no’. While many of us may have woken up and thought “Oops” when recalling the night before; this does not invalidate any informed, freely-given consent that was provided at the time. The past cannot be undone, only learned from. Likewise, if I give an advertising agency permission to use my photo, while I can tell them to stop using it later, I can’t make them recall every copy of the image that they published while my consent was in place.
Withdrawal or refusal is not an invitation to try to continue:
No means no. End of. Once someone has withdrawn their consent you must stop doing whatever it was you obtained their agreement to do. Pleading, bullying, coercing, forcing – these are violations of consent and could be very serious, both for you and for the person whose preferences you have ignored. Emotional blackmail to get sex is a favourite tactic of hormone-crazed teenage boys and has (superficial) parallels with companies that send emails to opted-out addresses offering incentives to resubscribe. Teenage boys might not realise that what they are doing is wrong (educate them please, parents!) but companies have no excuse whatsoever.
It doesn’t last forever:
“Yes” now does not mean “yes” to every future occurrence. “But you liked sucking my toes last week” does not mean that person wants to suck your toes right now, or at any time in the future. Put your socks back on. Similarly, asking an organisation to send you info about a specific event you’re interested in doesn’t mean they can send you messages about any other event they run.
It’s important to be clear:
Keep checking that ‘no objection’ has not turned into “no”. Consent must be informed to be valid, so if the other party has forgotten what they agreed to then you may not still have their consent – whether that’s the prospect of getting the silk scarves out, or tracking every location they take their phone to.
Proportionality is advised:
Signed agreements are not necessarily appropriate for either sexual activity or data processing (although they are relatively common in relationships that incorporate the exotic end of sexual activities [warning possibly NSFW] where the potential for miscommunication could have serious ramifications). Likewise, a signed declaration of consent to data processing is probably overkill for the majority of scenarios and is likely to increase both your administrative overhead and the annoyance you’re going to cause to the people who’s data you’re wanting to process. However, as with exotic sexual activities; if there is potential for a high impact, especially any kind of harm to the individual from your processing then it’s likely that you will need to make your consent evidence more stringent and robust. (note: if the processing is *required* in order to carry out a contract, then you should not be asking for consent in the first place as it cannot be freely-given separately to the contract agreement itself).
Lastly; don’t be a git:
If you’re looking for ways to evade obtaining proper consent in order to exploit someone then you are a Bad Person. This applies in any context. Even if you don’t see what you’re doing as exploitation, fiddling with either someone’s physical or intangible self has real consequences – it should only happen with care, respect and communication.
So if you are considering processing someone’s personal data, first check the appropriate legal basis. If that’s consent, then ask them for it – being clear about what you want to do and why. Keep a record of their response. Check in with them after a while to make sure it’s still OK. Don’t be sneaky/deceptive/coercive/vague/ask for more than you actually need.
And practice safe sex, mm’kay?
*NB: I am *not* equating data misuse with sexual assault in terms of seriousness! Lives can be ruined by unfair/unlawful/careless data processing (the construction industry blacklist, exposing vulnerable people to their stalkers, medication errors, inaccurate criminal records, credit rating errors….) – these are all Really Bad Things, but nowhere near the horror of being assaulted.
First followed you via LinkedIn. Via a repost of this article by Adrian Beney I ended up here on your personal website. Love to follow your GDPR-awareness-quest further.
BTW: Nice way of dealing with cookies.
P.S. maybe #MeTooMyData 🙂
Thanks!