Recently, the EU’s Article 29 Working Party (the “Working Party”) adopted guidelines (the “Guidance”) on the meaning of consent under the EU General Data Protection Regulation (“GDPR”). In this Guidance, the Working Party has confirmed that consent should be a reversible decision where a degree of control must remain with the data subject. The Guidance provides further detail on what is necessary to ensure that consent satisfies the requirements of the GDPR:
- Freely given. Consent is not valid where there is an imbalance of power or where it is conditioned to the performance of a contract. In addition, consent must be granular and given separately for each data processing operation, and there should be no detriment to the data subject if the data subject elects to withdraw his or her consent.
- Specific. Consent must be given for the processing of personal data for a specific purpose.
- Informed. To be fully informed, the following information must be provided to the data subject before consent is given: (1) the identity of the data controller; (2) the purpose of each of the processing operations for which consent is sought, (3) the personal data that will be collected based on consent; (4) the existence of the right to withdraw consent; (5) information about the use of the personal data for decisions based solely on automated processing, including profiling; and (6) if the consent relates to transfers of personal data outside the EEA, information about the possible risks of personal data transfers to third-party countries in the absence of an adequacy decision and appropriate safeguards.
- Clear affirmative action. Consent must be an unambiguous indication of the data subject's wishes and accordingly, must be given by a statement or by a clear affirmative action which signifies agreement to the processing of personal data relating to the data subject.
Meaning of Explicit Consent
The Guidance also provides further information on the meaning of “explicit” consent, which is obtained for the processing of special categories of data, the transfer of personal data outside the EEA, or for automated individual decision-making. The Guidance states that for consent to be “explicit,” the data subject must give an express statement of his or her consent, for example, by expressly confirming his or her consent in an explicit statement. In the electronic context, an express statement of consent could be given by the data subject by filling in an electronic form, sending an email, uploading a scanned document or using an electronic signature.
Demonstrating Consent
The Working Party indicates that data controllers are free to develop methods to demonstrate that consent has been validly obtained in a way that is fitting with their daily operations, and the GDPR is not prescriptive in this regard. Nevertheless, to demonstrate that consent was validly given, the data controller must be able to prove, in each individual case, that a data subject has given consent. In addition, the Guidance indicates that data controllers should retain records of consent only for so long as necessary for compliance with legal obligations to which it is subject, or for the establishment, exercise or defense of legal claims. The information retained should not go beyond what is necessary to demonstrate that valid consent has been obtained.
Children’s Consent
The GDPR requires parental consent in relation to the processing of children’s personal data in the context of information society services (e.g., a website or video streaming service) offered directly to children. The GDPR does not, however, specify the means that should be used to verify whether a user is a child or to obtain the consent of the child’s parents. The Guidance suggests that data controllers should adopt a proportionate approach based on the inherent risk associated with the processing and the available technology solutions. For example, the Working Party suggests that in low-risk scenarios, verification of parental responsibility by email may be sufficient, but in higher risk scenarios, more rigorous methods may be used, such as requiring the parent to make a £/$/€ 0.01 payment to the controller via a bank transaction. The Working Party recognizes, however, that verification may be challenging in a number of circumstances, and this will be taken into account when deciding whether the controller has taken “reasonable” efforts to ensure that parental consent has been obtained.
Pre-existing Consent
The Guidance indicates that consent which has been obtained prior to the GDPR will continue to be valid under the GDPR, provided it meets the conditions for consent required by the GDPR. The Working Party notes, in this regard, that existing consents must meet all GDPR requirements if they are to be valid, including the requirement that the data controller is able to demonstrate that consent was validly obtained. Thus, the Working Party is of the view that any consents which are presumed to be valid, but of which no record is kept, will not be valid under the GDPR. Similarly, existing consents that do not meet the “clear affirmative action” requirement under the GDPR, for example, because they were obtained by means of a pre-checked box, also will not be valid under the GDPR.
For processing operations in relation to which existing consent will no longer be valid, the Working Party recommends that data controllers (1) seek to obtain new consent in a way that complies with the GDPR, or (2) rely on a different legal basis for carrying out the processing in question. If a data controller is unable to do either of those things then the processing activities concerned should cease.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code