Under the new GDPR consent remains as one of the lawful bases that a data processor can use to process data. In other words, if you have consented to something then your data can be used for that specific purpose.
Over the past few days I have visited a number of websites, and it is increasingly clear that not many have the appropriate consent mechanisms in place.
The GDPR is very clear that the onus is now very much on the customer or data subject to consent to something, rather than it being implied or them having to take an action to deny consent.
The following is an extract from the regulation:-
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
To further qualify this there is an additional statement.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
In addition, consent is required for each separate and distinct processing activity.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
Here is an example from a well-known football club. You can see the relevant page at
https://secure.manutd.com/en/Login-and-Sign-Up/Register-Short.aspx
As you can see, the newsletter options (circled in green), are a series of tick boxes that have to be checked by the customer to opt-in, and each newsletter is listed separately.
However, the products and services options (circled in red), are quite different. Here the customer has to tick the boxes to deny consent. This goes against the GDPR in a number of ways. Firstly, it implies consent unless the customer does something specific. Secondly, it states that consent is given by a number of means (post, phone or electronically) with no option to separate these out. Thirdly, it uses generic lists, i.e. MU Group and MU Partners. To ‘share and use’ personal data the data subject must be given the details of each individual organisation involved, and the purpose of the data processing, so that they can be informed and given the chance to deny consent.
Once consent has been given the data subject must be given the chance to withdraw that consent, and the withdrawal must be as easy to execute as it was to opt in originally. This could be in the form of one click unsubscribe functionality, or the reprocessing of the original tick boxes. It should not take several days to effect the withdrawal of consent.
The organisation that has the consent to process the data will need to be able to prove that they have the consent and exactly what that consent is for. A tag on the data will indicate whether consent is evident, but the questions that need to be answered are how was that consent obtained? and when was that consent obtained? Again, the implication that they ticked a box is not enough, as software and web forms change over time. Proof could be in written form, orally recorded, or screens dumps of their consent journey.
There have been a lot of questions around social media, and how consent works with regard to advertising. When you sign up to a site such as Facebook you give consent to them to provide content. If you click on an advert you would be directed to a third party and consent would work just like any other website. A grey area is areas of dual consent, such as jobs boards. You post your CV and consent for it to be searchable, meaning that any one of hundreds of recruiters could see it and contact you. However, you may have already unsubscribed from a particular agency’s mailing list. It is still to be debated whether every posting of your CV renews your consent and therefore overrides your unsubscribe request.
Consent is just one of the factors that an organisation can use to process personal data. We will look at other factors in future articles.