Consent is one of the six legal bases that you can rely on to process personal information and it is often relied upon for marketing. However, it is not always the most appropriate and consideration should be given to the rationale behind relying on consent, especially as consent can be withdrawn at any time and, if this happens, you cannot simply switch to one of the other legal bases to process personal information. The other five legal bases are; for the purposes of a contract, legitimate interests, compliance with a legal obligation, vital interests or in the public interest.
Historically, there has been confusion as to what consent is and many websites used wording that required an individual to ‘opt out’ (rather than ‘opt in’) or they used complicated wording, so no one was really sure what they were agreeing to.
GDPR specifies what constitutes valid consent, but despite this, many organisations are still not compliant.
Consent must be:
This means that you need to give the individual a ‘real choice’ about whether or not to provide consent, as they need to have control over what happens to their personal data. Also, GDPR requires that it must be as easy to withdraw consent as it is to give it. Therefore, the consent may not be valid if:
- the individual feels pressured to give consent because of an imbalance of power, such as in an employer/employee relationship;
- the individual will suffer a detriment if they do not give consent, such as being denied access to a benefit or service simply because they refuse to give consent for an unrelated purpose, such as marketing;
- it is bundled up within non-negotiable terms and conditions of a contract;
- the consent is a term of a contract, but it is not actually needed for the purpose of fulfilling the contract or;
- the individual is subjected to a protracted process to withdraw consent.
GDPR requires transparency, fairness and lawfulness. Therefore, you should provide individuals with sufficient information to allow them to make an informed decision. This information could be provided in a Privacy Notice.
If you propose to use the personal data in numerous different ways or for multiple purposes, you should give individuals a choice about which element(s) to consent to. For example, they may wish to consent to receive marketing from you but not from any third parties you are associated with or they may wish to consent to emails from you but not telephone calls.
Being specific, links in with the requirement for consent to be informed and granular, in that you must very clearly explain to individuals exactly how you propose to use their personal data and distinguish between the various elements of processing activities.
The consent must be unambiguous, which means that you must not use confusing language with double negatives etc. Consent must be given by a clear affirmative action, such as ticking an ‘opt in’ box. ‘Opt-out’ boxes should not be used, and neither should pre-ticked boxes.
Under the Accountability Principle of GDPR, you, as an organisation and a Controller, must be able to demonstrate that you obtained valid consent, before processing personal information. Therefore, it is important to, not only obtain GDPR grade consent, but retain proof of this as well.