GDPR Consent Legal Guide

General introduction

This Guide provides a general introduction to how controllers (website and app owners) can meet the GDPR requirements for the Consent Request, the Consent Dialogue, who provides the Consent Request and when to provide the Consent Request, including:

  1. the GDPR attitude to consent with its definition, modalities and dynamics of consent.

  2. the “CONSENT-OMETER” methodology to assess whether GDPR consent requirements are met.

What to do?

Signatu helps you with consent:

  1. Specify your consent request in Signatu Data Processing Specification to:
    1. include one processing purpose only for a single consent request.
    2. include and logically link required information in a single consent request.
    3. record, version control and time track consent requests that are live.
    4. make an immutable record of unique identities for each processing purpose so you can keep track on whether each processing purpose is widened or blurred so you in turn can know whether new consent needs to be obtained.
  2. Select a Signatu Consent Dialogue (from Signatu Javascript SDK) for each of your consent requests and embed it on your site/app to:
    1. enable data subjects to give specific consent for each of your processing purposes separately.
    2. enable data subjects to withdraw a previously given consent in a privacy settings dashboard.
  3. Use Trackerdetect to secure evidence that your Consent Dialogue is provided to end useres at your site/app.
  4. Use Signatu Tag manager to conditionally load cookies upon consent.
  5. Record and store Consent Events with Signatu Consent API to demonstrate consent.

Upcoming Guides

We will soon publish special guides for the following:

  1. ePrivacy Directive and ePrivacy Regulation.
  2. the obligation to demonstrate consent for single controllers and joint controllers.
  3. the Consent Event Record and DPA inspection of Consent Event Record.
  4. representation of consent requests by icons, flowcharts, stickmen etc.
  5. accessible information for low-visioned and no-visioned.
  6. where to provide consent requests (Privacy Settings Dashboard with user account, in context where data are collected, pop-up nudging, for cookies, on each URL, etc).
  7. Consent Dialogue design and architecture (privacy by design, GDPR Art 25) with UX/UI requirements and best in class design.
  8. When and how to refresh consent.
  9. Consent Analytics.
  10. Signalling Consent Events.
  11. Consent Receipts.
  12. Where/how users exercise their rights, including Subject Access Request to see Consent Event History, Withdraw consent, Object to direct marketing, Object to legitimate interest, Notify Notify 3rd parties of users’ request to rectify or erase data or restrict processing, etc.
  13. Signatu technology for Opt-out of Legitimate Interest.

GDPR attitude

Prohibition to process personal

The GDPR, if applicable, prohibits a controller to process a data subject’s personal data except if the GDPR makes an exemption.

Exemption from prohibition: Permission to process personal data

The GDPR exempts from the prohibition for a controller to process a data subject’s personal data if a specific legal basis permits the controller to process the data subject’s personal data.

The GDPR provides a specific legal basis that permits a controller to process a data subject’s personal data if the data subject permits the controller to process the data subject’s personal data.

The specific legal in GDPR Article 6.1 (a) permits a controller to process a data subject’s ordinary personal data if the data subject permits the controller to process the data subject’s personal data.

The specific legal in GDPR Article 9.2 (a) permits a controller to process a data subject’s special personal data if the data subject permits the controller to process the data subject’s personal data.

GDPR Article 9.2 (a) requires the explicit consent of the data subject.

What is special personal data

The GDPR says that personal data are special if processing of personal data reveal racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs and trade union membership. Also, personal data are special if genetic data is processed for the purpose of uniquely identifying a natural person (GDPR Article 4 (13) defines genetic data). Also, personal data are special if biometric data is processed for the purpose of uniquely identifying a natural person (GDPR Article 4 (14) defines biometric data). Also, special personal data are 1) data concerning health (GDPR Article 4 (15) defines data concerning health), data concerning a natural person’s sex life and data concerning a natural person’s sexual orientation. Have a look at GDPR Article 9.1 to see the definition of special personal data. To see further conditions, including limitations, for processing special personal data, look at GDPR Article 9.4.

The specific legal in GDPR Article 22.2 (c) and 22.4 permits a controller to carry out automated decision making if the data subject permits the controller to process the data subject’s personal data.

GDPR Article Article 22.4 ref. Article 9.2 (a)) requires the explicit consent of the data subject.

The specific legal in GDPR Article 18.2 permits a controller to process restricted personal data if the data subject permits the controller to process the data subject’s personal data.

The specific legal in GDPR Article 49.1 (a) permits a controller to transfer the data subject’s personal data to a third country or an international organisation if the data subject permits the controller to process the data subject’s personal data.

GDPR Article 49.1 (a) requires the explicit consent of the data subject.

Consent to cookies, Article 5(3) of Directive 2002/58

Advocate General in the Planet 49 case says:

  1. Article 5(3) of Directive 2002/58 refers to “storing of information, or access to information already stored”. It makes no difference whether the information stored or accessed constitutes personal data.
  2. It is clear that any such information has a privacy aspect to it, regardless of whether it constitutes personal data within the meaning of Article 4, point 1, of Regulation 2016/679 or not.
  3. Article 5(3) of Directive 2002/58 aims to protect the user from interference with his or her private sphere, regardless of whether that interference involves personal data or other data.
  4. This is supported by recital 24 and 25 of Directive 2002/58 and by the Opinions of Article 29 Working Party. It is not a prerequisite for the application of this provision that this information is personal data.
  5. There are different types of cookies. Some cookies are classified according to the cookie’s lifespan (e.g. session cookies and persistent cookies) and others of which are based on the domain to which the cookie belongs (e.g. first party and third party cookies). When the web server supplying the webpage stores cookies on the end user’s computer or mobile device, they are known as http header cookies. Another way of storing cookies is through JavaScript code contained or referenced in that page.
  6. Directive 2002/58 prohibits a controller to place or access cookies on a data subject’s computer unless there is an exemption.
  7. Directive 2002/58 exempts from the prohibition for a controller to place or access cookies on a data subject’s computer if a specific legal basis permits the controller to place or access cookies on a data subject’s computer.
  8. The specific legal basis in Directive 2002/58 Article 5(3) permits a controller to place or access cookies on a data subject’s computer if the data subject permits the controller to place or access cookies on a data subject’s computer.
  9. The validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the PURPOSE of a cookie rather than the technical features.

Watch this space for guidance !

Definition

GDPR Article 4(11)

GDPR Article 4(11) provides the following definition of consent:

‘For the purposes of this Regulation: “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

Modalities

Data subject’s permission

From the data subject’s perspective, the legal modalities of consent would be captured by saying that:

a data subject’s right to grant a controller permission to process his or her personal data is equivalent to the controller having no right to process (or not to process) the data subject’s personal data.

Controller’s permissive right

From the controller’s perspective, the legal modalities of consent would be captured by saying that:

the permission that the data subject has granted the controller to process the data subject’s personal data is equivalent to saying that the controller has a privilege, a permissive right and a mere liberty right toward the data subject to process (or not to process) the data subject’s personal data.

Power dynamics

Data subject’s power

The dynamics of consent would be captured by saying that:

(in a legal capacity) the data subject holds the power to grant permission, to not grant permission or to terminate any permission previously granted to the controller with respect to processing of the data subject’s personal data through any action that grants, does not grant or terminates the permission and its legal effect.

Hence, one can say that:

the data subject’s performance of an action grants or terminates the permission (vis-à-vis the controller processing the data subject’s personal data) and its legal effect which the data subject pursues in his or her own interest.

Or one can say that:

the data subject may grant or terminate the permission (vis-à-vis the data controller processing the data subject’s personal data) and its legal effect through the action.

Controller’s no immunity

This is equivalent to saying that:

the controller is subject to and is not immune from the data subject’s power to permit (or to refuse or terminate) the permission toward the controller with respect to processing the data subject’s personal data.

Sanctions

If the controller processes the data subject’s personal data without the data subject’s permission, then the controller lacks the permissive right to process the data subject’s personal data, and corresponding sanctions against the controller can be activated.

Methodology

“CONSENT-OMETER” is a detailed methodology to assess whether or how a controller enables the data subject to effectively exercise the data subject’s power:

  1. to grant permission to the controller to process the data subject’s personal data,
  2. to not grant permission to the controller to process the data subject’s personal data, or
  3. to terminate any permission previously granted to the controller to process the data subject’s personal data.

The data subject’s right to be power-enabled by the controller is specified by several requirements in the GDPR.

GDPR Article 5.1(b) says:

“personal data shall be collected for specified … purposes”.

GDPR Article 6.1(a) says:

“processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

GDPR Article 4(11) says:

“consent of the data subject means any … specific … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”

In its literal sense, specific indication that signifies consent to controller’s processing of the data subject’s personal data means:

the controller has a duty to provide specific information in the consent request to the data subject to enable the data subject to use that information to assess the effects of any consent s/he might give.

Which specific information must be provided in the consent request?

According to the GDPR and Guides from Data Protection Authorities, the following questions must be answered and provided in the consent request for the consent to be specific:

  1. which personal data is processed?
  2. by which activity is personal data processed, including whether data is disclosed to recipients and/or to which third countries data is transferred (if any) in the absence of an adequacy decision and appropriate safeguards?
  3. by which purpose is personal data processed, including whether and how personal data are used for decisions based solely on automated processing?
  4. in which period is personal data processed, including the duration of the operation of cookies?
  5. what is the legal basis for the processing purpose?
  6. whether there is there information about the existence of the right to withdraw consent?
  7. who processes the personal data, including joint or separate controllers that rely on consent for a specific processing operation?

Consent to cookies, Article 5(3) of Directive 2002/58

For consent to cookies in relation to Article 5(3) of Directive 2002/58, the General Advocate in the Planet 49 case says:

  1. By virtue of recitals 23 and 26 of Directive 2002/58, the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done’.
  2. Even if the cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes.
  3. In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose.
  4. The duration of the operation of cookies relates to the explicit informed consent requirements regarding the quality and accessibility of information to users. This information is vital to enable individuals to make informed decisions prior to the processing.
  5. End user should be explicitly informed whether third parties have access to the cookies set or not. And if third parties have access, their identity must be disclosed.
  6. Articles 10 and 11 of Directive 95/46 (and Articles 13 and 14 of Regulation 2016/679) set out an obligation to provide information to data subjects. The obligation to inform is linked to consent in that there must always be information before there can be consent.
  7. Given the conceptual proximity of an internet user (and provider) to that of a consumer (and trader), one can resort at this stage to the concept of the average European consumer who is reasonably well informed and reasonably observant and circumspect and who is able to take the decision to make an informed commitment.
  8. However, due to the technical complexity of cookies, the asymmetrical information between provider and user and, more generally, the relative lack of knowledge of any average internet user, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies.
  9. Thus, clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.
  10. This includes both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.

Which information must be provided in the consent request in cases of joint controllership?

The information must cover all the aspects of the personal data processing operation(s) for which the joint controllers are jointly liable.

In cases of 3rd parties on websites, this is often the collection and transmission of end user data to the 3rd party (but not further downstream).

The duty of the website operator does not extend to subsequent stages of the data processing in which the website operator is not involved and for which it does not determine either the processing means or purposes.

How must the information in the consent request be linked for the consent to be specific?

In its literal sense, specific indication that signifies consent to controller’s processing of the data subject’s personal data also means:

the controller has a duty to link the specific information in the consent request to the data subject to enable the data subject to use that information to assess which specific personal data A1 is processed by a specific processing method and activity B1 for a specific purpose C1 on a specific legal basis D1 by a specific controller E1.

Controller’s duty to link the specific information enables the data subject to clearly comprehend, without any guesswork, that A1 is processed by activity B1 and not B2 for the specific purpose C1 and not C2 etc.

However, linking information is not sufficient to reduce or remove ambiguity and interpretation from the information. This is dealt with below.

Yes.

The controller has a duty to provide one processing purpose only in a single consent request to enable the data subject freely give or refuse consent to separate data processing operation (GDPR Article 6.1(a), GDPR Recital 43).

It follows that the GDPR prohibits controllers to bundle several processing purposes in a single consent request.

Note that the GDPR permits controllers to provide several personal data and processing activities for one single purpose in a single consent request (GDPR Article 5.1(b) and Recital 32).

Consent to cookies, Article 5(3) of Directive 2002/58

For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:

  1. For consent to be freely given and informed, it must not only be active, but also separate.
  2. To participate in an online lottery, users were required to tick a checkbox and to untick a pre-ticked checkbox to avoid the installation of cookies.
  3. These two expressions of intention (participation in the lottery and consent to the installation of cookies) were considered to form part of the same act made at the same time since it was not clear that consenting to cookies formed part of a separate act. Put differently, (un)ticking the checkbox on the cookies appears like a preparatory act to the final and legally binding act which is ‘hitting’ the participation button.
  4. These two expressions of intention must optically be presented on an equal footing.

Can a specific processing purpose be widened without requiring new consent?

Yes, but there are limitations.

GDPR Article 5.1(b) says:

“personal data shall be collected for specified … purposes and not further processed in a manner that is incompatible with those purposes

GDPR Article 6.4 (a) - (c) gives clues for how to assess whether the processing for a purpose other than that for which the personal data have been collected is compatible with the purpose for which the personal data are initially collected.

GDPR Article 6.4 (a) - (c) says one must take into account: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; (d) the possible consequences of the intended further processing for data subjects; (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

What are the information quality requirements for the consent request?

“Informed”

GDPR Article 4(11) says:

“consent of the data subject means any … informed … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”

In its literal sense, informed indication that signifies consent to the processing means:

the controller has a duty to provide the specific and linked information in the consent request to the data subject to enable the data subject to use that information to assess the effects of any consent s/he might give without ambiguity and interpretation from the information.

This is supported by GDPR Recital that 32 says:

“if the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise”.

Must the information in the consent request be understandable in the mind of the author or the reader to qualify for informed consent?

Plain language, easy to understand

GDPR Recital 42 says:

“in accordance with Council Directive 93/13/EEC (1) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language”.

Also, GDPR Recital 58 says:

“the principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language … be used”. GDPR Recital 42 says controller’s consent request must be: intelligible.

Further, GDPR Recital 39 and 58 say controller’s consent request must be:

easy to understand.

The wording seems to indicate that the notions ”plain language” that is ”easy to understand” do not refer to:

  1. the intention of the author (i.e. the controller) of the consent request,
  2. the specific legal or contractual rules that a consent request of a certain type counts as intelligible, and
  3. the meaning that is usually given to consent requests of a certain kind.

In its literal sense, indication in ”plain language” that is ”easy to understand” and that signifies consent to the processing means:

the controller has a duty to provide the specific and linked information in the consent request to the data subject to enable the average data subject that is targeted to use that information to easily assess the effects of any consent s/he might give without ambiguity and interpretation from the information.

This understanding is also the understanding of:

  1. WP29 (endorsed by EDPB) in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).
  2. the General Advocate in the Planet 49 case (regarding consent to cookies in relation to Article 5(3) of Directive 2002/58) who says:

“The obligation to inform is linked to consent in that there must always be information before there can be consent. Given the conceptual proximity of an internet user (and provider) to that of a consumer (and trader), one can resort at this stage to the concept of the average European consumer who is reasonably well informed and reasonably observant and circumspect and who is able to take the decision to make an informed commitment.”

Consent to cookies, Article 5(3) of Directive 2002/58

In the case of cookie consent, the General Advocate in the Planet 49 case says:

“… due to the technical complexity of cookies, the asymmetrical information between provider and user and, more generally, the relative lack of knowledge of any average internet user, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies. Thus, clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.”

A rough simplification of language properties may give ideas for how to author a consent request that is understandable.

Roughly speaking, natural language can be described in four dimensions:

  1. First, one can say that natural language is more or less precise (the degree to which the meaning of a text in a certain language can be directly retrieved from its textual form).
  2. Second, one can say that natural language is more or less expressive (the range of propositions that a certain language is able to express).
  3. Third, one can say that natural language is more or less natural (how close the language is to a natural language in terms of readability and understandability to speakers of the given natural language).
  4. Fourth, one can say that natural language is more or less simple (the simplicity or complexity of an exact and comprehensive language description covering syntax and semantics).

Understanding the correlations between the dimension pairs of a natural language may give further ideas regarding how to author a consent request so it will be understandable:

  1. Precision and simplicity often exhibit a strong negative correlation (precise language tends to be complex and not simple).
  2. Expressiveness and simplicity often exhibit a strong negative correlation (expressive languages tend to be complex and not simple).
  3. Naturalness and expressiveness often exhibit a strong positive correlation (naturalness of language tends to be complex).
  4. Naturalness and simplicity often exhibit a strong negative correlation (naturalness of language tends to be complex and not simple).
  5. Precision and naturalness often exhibit a less negative correlation (precise language tends to be natural).
  6. Precision and expressiveness often exhibit a less negative correlation (precise language tends to be expressive).

Which target language must the consent request have to be understandable?

GDPR says in GDPR Recital 39, 58 and 60 that controllers have a duty to provide data subjects with information that is understandable for data subjects.

In a literal sense, this means controllers must provide the information in the consent request in the country specific language of the data subjects.

This understanding is also the understanding of WP29 (endorsed by EDPB) in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) who says that information must be provided in the language of the target audience.

What constitutes “targeting” of data subjects in an EU State?

Watch this space for guidance !

Can multiple consent requests provided at the same time qualify the consent requests as not easy to understand?

It is questionable whether any or all of a controller’s consent requests, if they are multiple and provided at the same time to a data subject, can count as invalid due alone to the extent of information.

Can alternative representations of text language make the consent request easy to understand?

Watch this space for guidance !

Which form makes the consent request accessible?

GDPR Recital 39 and 58 say the principle of transparency requires that any information addressed to the public or to the data subject must be easily accessible”.

WP29 (endorsed by EDPB) in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) says that written information in consent requests must be accessible for vision-impaired end users (if any).

What makes information in a consent request accessible?

End user accessibility needs are needs that relate to:

  1. Visual acuity (clarity)
  2. Light and glare sensitivity
  3. Contrast sensitivity
  4. Field of vision
  5. Color vision

Watch this space for guidance !

Is the dialogue for consent and objection to processing clearly distinguishable from other information?

GDPR Article 7.2 says:

“if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding”.

Also, when controllers base personal data processing for direct marketing purpose on consent, GDPR Article 21.4 says:

“at the latest at the time of the first communication with the data subject, the right (to object) referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Watch this space for guidance !

In its literal sense, “clearly distinguishable from other matters/any other information” means that what is presented as a request for consent or objection to direct marketing is without doubt recognized or identified as a consent request/objection to direct marketing with features that distinguish the consent request/objection to direct marketing from other matters.

What distinguishes the consent request/objection to direct marketing from other matters consist of how a consent request/objection to direct marketing differs with other information in the same context:

  1. by design, areas, divisions, boundaries or edges that separates a consent request/objection to direct marketing with the information near it, and
  2. by the internal elements of the dialogue for consent request/objection to direct marketing.

Watch this space for guidance !

Below, the internal elements of the consent dialogue will be presented.

Are the actions through which consent is granted or refused provided in the consent dialogue?

GDPR Article 4(11) says:

“consent of the data subject means any … indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

It follows that the controller has a duty to provide the consent request in a dialogue which informs the data subject about the actions through which the data subject is enabled to exercise his/her power to grant or refuse permission for the controller to process the data subject’s personal data.

On websites and apps, the actions through which the data subject is enabled to exercise his/her power to grant or refuse permission for the controller to process the data subject’s personal data are normally:

1: checkboxes, 2. buttons, or 3. switches.

Watch this space for guidance !

Must the actions to object to processing be provided in the consent dialogue?

Controllers may base personal data processing for direct marketing purpose on consent.

GDPR Article 21.2 says:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”

GDPR Article 21.5 says:

“In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

GDPR Article 21.4 says:

at the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”

Hence, controllers have a duty to enable the data subject to object at any time by automated means to the processing of their personal data for direct marketing purposes.

Watch this space for guidance !

Is the action through which a consent can be terminated provided in the consent dialogue?

First, GDPR Article 7.3, last sentence says:

“it shall be as easy to withdraw as to give consent.”

Second, GDPR Article 7.3, 1st sentence says:

“the data subject shall have the right to withdraw his or her consent at any time.

In its literal sense, “as easy to withdraw as to give consent” means a duty for the controller to enable the data subject:

  1. to withdraw consent for a specific processing operation to which the data subject previously have granted consent, and
  2. to withdraw consent in a dialogue that is as easily available as the consent dialogue to grant or refuse consent.

In its literal sense, “right to withdraw … consent at any time” means a duty for the controller to enable the data subject to withdraw consent at any time after giving consent including with or without any intervening time after giving consent.

Hence, the dialogue to withdraw consent:

  1. must correspond with a specific processing operation to which the data subject previously have granted consent.
  2. should - in cases when the data subject wants to withdraw consent without any intervening time after giving consent - be available in the consent dialogue or be available by a link in the consent dialogue.
  3. should - in cases when the data subject wants to withdraw consent with some intervening time after giving consent - be available in a privacy setting dashboard available by a link at any page.

Watch this space for guidance !

Which actions through which consent is granted or refused in the consent dialogue count as actions for valid consent?

GDPR Article 4(11) says:

“consent of the data subject means any … unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

(It should be noted that this definition is stricter than that of Article 2(h) of Directive 95/46 in that it requires an unambiguous indication of the data subject’s wishes and a clear affirmative action signifying agreement to the processing of personal data.)

Unambiguous statement or action

The controller has a duty to use statements and/or actions that enable the data subject to grant, refuse or terminate the permission for the controller to process the data subject’s personal data, and requires both statements and/or actions to be unambiguous (GDPR Article 4(11)).

In its literal sense, a statement or action through which the data subject starts the permission is unambiguous means that the statement or action is not open to more than one interpretation and that statement signifies agreement to the processing, see WP29Opinion 15/2011 on the definition of consent

According to GDPR Recital 32, an action that affirms consent to the processing of personal data can be:

“conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”.

Statement

According to the compromise embodied in GDPR Article 4(11), the controller’s request for consent may be a request in which the data subject’s “unambiguous indication … by a statement” signifies agreement to the processing of the data subject’s personal data.

According to GDPR Recital 32, a statement that affirms agreement to the processing of personal data can be:

“a written statement including by electronic means, or an oral statement … which (when eg visiting an internet website) clearly indicates (the) context (of) the data subject’s acceptance of the proposed processing of his or her personal data”.

GDPR Recital 32 says that a statement:

“could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement”. Thus, ticking unchecked opt-in boxes counts as statements.

If a data subject does not uncheck a pre-checked opt-in tick box, then the data subject does not affirm agreement according to GDPR Recital 32, which provides that:

“pre-ticked boxes … should not … constitute consent”.

For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:

  1. It is not sufficient if the user’s declaration of consent is pre-formulated and if the user must actively object when he does not agree with the processing of data.
  2. In such a situation, one does not know whether such a pre-formulated text has been read and digested. The situation is not unambiguous. A user may or may not have read the text. He may have omitted to do so out of pure negligence. In such a situation, it is not possible to establish whether consent has been freely given.
  3. Requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable.

Action

According to the compromise embodied in GDPR Article 4(11), the controller’s consent request can be a request in which the data subject’s “unambiguous indication … by a clear affirmative action” signifies agreement to the processing of the data subject’s personal data.

The literal meaning of the term “clear affirmative action” is that it is easy to understand if and how an action affirms consent to the processing of personal data.

If, on the one hand, the data subject omits to give an indication to signify agreement, then GDPR Recital 32 provides that:

“silence … or inactivity should not … constitute consent”.

Silence or inactivity has inherent ambiguity (the data subject might have meant to assent or might merely have meant not to perform the action).

If, on the other hand, the data subject acts to give an indication to signify agreement, then the controller must qualify those acts that count as acts to unambiguously (and explicitly if needed) signify agreement.

For consent to be a lawful basis for the processing of personal data under GDPR Article 4(11), the GDPR requires the explicit consent of the data subject for when the controller:

  1. processes special personal data (Article 9.2 (a)).
  2. carries out automated decision making on special personal data (Article 22.4 ref. Article 9.2 (a)).
  3. transfers personal data to a third country or an international organisation (Article 49.1 (a)).

The GDPR does not define the term “explicit” consent.

In its literal sense, “explicit” means that the data subject must state his/her consent in words (whether oral or written) expressly, clearly and in detail, leaving no room for confusion or doubt.

The controller has a duty to enable the data subject to understand through which action the data subject grants or refuses permission to the controller to process the data subject’s personal data.

Similar to the requirements for the consent request itself, the controller has a duty to enable the data subject to have full knowledge of which actions that the data subject uses to grant or refuse consent (“informed” etc).

Hence, these actions must be presented in clear and plain language and in an easily accessible form (GDPR Article 7.2).

The design of the consent dialogue must not be abusive design, deceptive design (e.g. cookie loads before consent is given or loads when consent is refused), or dangerous design (e.g take it or leave it cookie wall, last minute consent in the final stages of an order).

Best in class design supports the action through which the data subject grants or refuses permission to the controller to process the data subject’s personal data with texts that state what the action of e.g. clicking a checkbox, button or switch means.

Watch this space for guidance !

Is the action to terminate consent understandable?

Please see the comments above.

Is the data subject enabled to exercise his/her power freely?

GDPR Article 4(11) says:

“consent of the data subject means any … freely given … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”

In its literal sense, freely given indication that signifies consent to the processing means that the indication signifies that consent is a decision to agree that is not under the control or influence of the data controller.

Then the question arises what is a decision to agree that is not under the control or influence of the controller?

No genuine or free choice

GDPR Recital 42 says:

“consent should not be regarded as freely given if the data subject has no genuine or free choice (to) consent”.

GDPR Recital 43 says:

“consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case …” (see above).

GDPR Recital 42 says:

“consent should not be regarded as freely given if the data subject … is unable to refuse … consent without detriment”.

In its literal sense, “detriment” means a cause of harm or damage. Hence, consent can be considered to be invalid if refusing consent causes harm or damage to the data subject.

Conditionality

GDPR Article 7.4 says:

“when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.

GDPR Recital 43 says:

“consent is presumed not to be freely given … if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.

First, GDPR Article 7.4 does not apply where the performance/provision of a contract/service involves the processing of personal data that is necessary for the performance of that contract. In this case, the controller should use GDPR Article 6(1b) (contract) as legal basis instead of consent. (Note that: the necessity for performance of contract is not a legal basis for processing special categories of data!)

Second, GDPR Article 7.4 applies where the performance/provision of a contract/service involves the processing of personal data that is not necessary for the performance of that contract.

Hence, the question arises when is the processing of personal data necessary and not necessary for the performance of a contract?

According to WP29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, the term necessary for the performance of a contract needs to be interpreted strictly. There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract. WP29 says the processing is necessary in the following examples:

  1. Processing the address of the data subject so that goods purchased online can be delivered, or
  2. Processing credit card details in order to facilitate payment.

For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:

  1. to participate in an online lottery, users were required to tick a checkbox and to untick a pre-ticked checkbox to avoid the installation of cookies.
  2. Participation in the lottery was only possible if at least the first checkbox had been ticked. As a consequence, participation in the lottery was not conditional upon giving consent to the installation of and gaining access to cookies. For a user might as well have clicked the first checkbox (only).
  3. However, in such a situation, a user is not in a position to freely give his separate consent to the storing of information or the gaining of access to information already stored, in his terminal equipment since it was not made clear that participation in the lottery was not conditional upon giving consent to the installation of and gaining access to cookies. Un-ticking the checkbox on the cookies appeared like a preparatory act to the final and legally binding act which was ‘hitting’ the participation button.
  4. it must be made crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent.
  5. A user must be in a position to assess to what extent he is prepared to give his data in order to pursue his activity on the internet.
  6. There must be no room for any ambiguity whatsoever. A user must know whether and, if so, to what extent his giving of consent has a bearing on the pursuit of his activity on the internet.

Third, in its literal sense, “utmost account shall be taken of” and “presumed” mean that conditioning the performance/provision of a contract/service on consent makes the consent invalid unless the controller can prove that consent was given freely.

Clear imbalance between the data subject and the controller

GDPR Recital 43 says:

“in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation”.

WP29 says:

“consent should refer to the processing that is reasonable and necessary in relation to the purpose” and that falls “within the reasonable expectations of the data subject”, see WP29 Opinion 15/2011 on the definition of consent

A data subject’s reasonable expectations may be based on the relationship with the data controller, the legitimacy of controller’s processing purposes, whether the data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for a specific purpose may take place.

From a rights perspective, one may question whether a data subject wishes to consent to a data controller’s consent request in order to enable himself/herself to achieve the legal effect of the consent request if the consent:

  1. disadvantages the data subject’s interests.
  2. promotes, advances or satisfies controller’s interest for the sole benefit of the data controller.

The controller has a duty to provide the consent request to the data subject.

In cases where the website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to provide end users with information about:

  1. the identity of the 3rd party who is a joint controller,
  2. the purpose of the respective stage of the processing over which the website operator and 3rd party have joint control,
  3. the fact that personal data will be transferred to a 3rd party.

The controller has a duty to provide the consent request to the end user and receive end user consent before personal data are processed, see Advocate General in the Fashion ID case.

The controller has a duty to receive the consent from the end user.

In cases where the website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to receive the end user consent also the 3rd party limited to all the aspects of the personal data processing operation(s) for which the joint controllers are jointly liable (which often is the collection and transmission of end user data to the 3rd party (but not further downstream).

The reasoning is that it is when a website is actually visited by an end user that the processing operation is triggered, the end user must provide the consent to the website operator.

The duty of the website operator to receive consent does not extend to subsequent stages of the data processing in which the website operator is not involved and for which it does not determine either the processing means or purposes.

The consent dialogue should link to the Privacy Policy.

The consent requests must be declared time synchronically in the Privacy Policy.

The consent requests and Privacy Policy should be version controlled and time stamped.