This Guide provides a general introduction to how controllers (website and app owners) can meet the GDPR requirements for the Consent Request, the Consent Dialogue, who provides the Consent Request and when to provide the Consent Request, including:
the GDPR attitude to consent with its definition, modalities and dynamics of consent.
the “CONSENT-OMETER” methodology to assess whether GDPR consent requirements are met.
Signatu helps you with consent:
We will soon publish special guides for the following:
The GDPR, if applicable, prohibits a controller to process a data subject’s personal data except if the GDPR makes an exemption.
The GDPR exempts from the prohibition for a controller to process a data subject’s personal data if a specific legal basis permits the controller to process the data subject’s personal data.
The GDPR provides a specific legal basis that permits a controller to process a data subject’s personal data if the data subject permits the controller to process the data subject’s personal data.
The specific legal in GDPR Article 6.1 (a) permits a controller to process a data subject’s ordinary personal data if the data subject permits the controller to process the data subject’s personal data.
The specific legal in GDPR Article 9.2 (a) permits a controller to process a data subject’s special personal data if the data subject permits the controller to process the data subject’s personal data.
GDPR Article 9.2 (a) requires the explicit consent of the data subject.
The GDPR says that personal data are special if processing of personal data reveal racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs and trade union membership. Also, personal data are special if genetic data is processed for the purpose of uniquely identifying a natural person (GDPR Article 4 (13) defines genetic data). Also, personal data are special if biometric data is processed for the purpose of uniquely identifying a natural person (GDPR Article 4 (14) defines biometric data). Also, special personal data are 1) data concerning health (GDPR Article 4 (15) defines data concerning health), data concerning a natural person’s sex life and data concerning a natural person’s sexual orientation. Have a look at GDPR Article 9.1 to see the definition of special personal data. To see further conditions, including limitations, for processing special personal data, look at GDPR Article 9.4.
The specific legal in GDPR Article 22.2 (c) and 22.4 permits a controller to carry out automated decision making if the data subject permits the controller to process the data subject’s personal data.
GDPR Article Article 22.4 ref. Article 9.2 (a)) requires the explicit consent of the data subject.
The specific legal in GDPR Article 18.2 permits a controller to process restricted personal data if the data subject permits the controller to process the data subject’s personal data.
The specific legal in GDPR Article 49.1 (a) permits a controller to transfer the data subject’s personal data to a third country or an international organisation if the data subject permits the controller to process the data subject’s personal data.
GDPR Article 49.1 (a) requires the explicit consent of the data subject.
Advocate General in the Planet 49 case says:
Watch this space for guidance !
GDPR Article 4(11) provides the following definition of consent:
‘For the purposes of this Regulation: “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
From the data subject’s perspective, the legal modalities of consent would be captured by saying that:
a data subject’s right to grant a controller permission to process his or her personal data is equivalent to the controller having no right to process (or not to process) the data subject’s personal data.
From the controller’s perspective, the legal modalities of consent would be captured by saying that:
the permission that the data subject has granted the controller to process the data subject’s personal data is equivalent to saying that the controller has a privilege, a permissive right and a mere liberty right toward the data subject to process (or not to process) the data subject’s personal data.
The dynamics of consent would be captured by saying that:
(in a legal capacity) the data subject holds the power to grant permission, to not grant permission or to terminate any permission previously granted to the controller with respect to processing of the data subject’s personal data through any action that grants, does not grant or terminates the permission and its legal effect.
Hence, one can say that:
the data subject’s performance of an action grants or terminates the permission (vis-à-vis the controller processing the data subject’s personal data) and its legal effect which the data subject pursues in his or her own interest.
Or one can say that:
the data subject may grant or terminate the permission (vis-à-vis the data controller processing the data subject’s personal data) and its legal effect through the action.
This is equivalent to saying that:
the controller is subject to and is not immune from the data subject’s power to permit (or to refuse or terminate) the permission toward the controller with respect to processing the data subject’s personal data.
If the controller processes the data subject’s personal data without the data subject’s permission, then the controller lacks the permissive right to process the data subject’s personal data, and corresponding sanctions against the controller can be activated.
“CONSENT-OMETER” is a detailed methodology to assess whether or how a controller enables the data subject to effectively exercise the data subject’s power:
The data subject’s right to be power-enabled by the controller is specified by several requirements in the GDPR.
GDPR Article 5.1(b) says:
“personal data shall be collected for specified … purposes”.
GDPR Article 6.1(a) says:
“processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
GDPR Article 4(11) says:
“consent of the data subject means any … specific … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”
In its literal sense, specific indication that signifies consent to controller’s processing of the data subject’s personal data means:
the controller has a duty to provide specific information in the consent request to the data subject to enable the data subject to use that information to assess the effects of any consent s/he might give.
Which specific information must be provided in the consent request?
According to the GDPR and Guides from Data Protection Authorities, the following questions must be answered and provided in the consent request for the consent to be specific:
For consent to cookies in relation to Article 5(3) of Directive 2002/58, the General Advocate in the Planet 49 case says:
Which information must be provided in the consent request in cases of joint controllership?
The information must cover all the aspects of the personal data processing operation(s) for which the joint controllers are jointly liable.
In cases of 3rd parties on websites, this is often the collection and transmission of end user data to the 3rd party (but not further downstream).
The duty of the website operator does not extend to subsequent stages of the data processing in which the website operator is not involved and for which it does not determine either the processing means or purposes.
How must the information in the consent request be linked for the consent to be specific?
In its literal sense, specific indication that signifies consent to controller’s processing of the data subject’s personal data also means:
the controller has a duty to link the specific information in the consent request to the data subject to enable the data subject to use that information to assess which specific personal data A1 is processed by a specific processing method and activity B1 for a specific purpose C1 on a specific legal basis D1 by a specific controller E1.
Controller’s duty to link the specific information enables the data subject to clearly comprehend, without any guesswork, that A1 is processed by activity B1 and not B2 for the specific purpose C1 and not C2 etc.
However, linking information is not sufficient to reduce or remove ambiguity and interpretation from the information. This is dealt with below.
Yes.
The controller has a duty to provide one processing purpose only in a single consent request to enable the data subject freely give or refuse consent to separate data processing operation (GDPR Article 6.1(a), GDPR Recital 43).
It follows that the GDPR prohibits controllers to bundle several processing purposes in a single consent request.
Note that the GDPR permits controllers to provide several personal data and processing activities for one single purpose in a single consent request (GDPR Article 5.1(b) and Recital 32).
For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:
Can a specific processing purpose be widened without requiring new consent?
Yes, but there are limitations.
GDPR Article 5.1(b) says:
“personal data shall be collected for specified … purposes and not further processed in a manner that is incompatible with those purposes”
GDPR Article 6.4 (a) - (c) gives clues for how to assess whether the processing for a purpose other than that for which the personal data have been collected is compatible with the purpose for which the personal data are initially collected.
GDPR Article 6.4 (a) - (c) says one must take into account: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; (d) the possible consequences of the intended further processing for data subjects; (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
What are the information quality requirements for the consent request?
GDPR Article 4(11) says:
“consent of the data subject means any … informed … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”
In its literal sense, informed indication that signifies consent to the processing means:
the controller has a duty to provide the specific and linked information in the consent request to the data subject to enable the data subject to use that information to assess the effects of any consent s/he might give without ambiguity and interpretation from the information.
This is supported by GDPR Recital that 32 says:
“if the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise”.
Must the information in the consent request be understandable in the mind of the author or the reader to qualify for informed consent?
Plain language, easy to understand
GDPR Recital 42 says:
“in accordance with Council Directive 93/13/EEC (1) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language”.
Also, GDPR Recital 58 says:
“the principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language … be used”. GDPR Recital 42 says controller’s consent request must be: intelligible.
Further, GDPR Recital 39 and 58 say controller’s consent request must be:
easy to understand.
The wording seems to indicate that the notions ”plain language” that is ”easy to understand” do not refer to:
In its literal sense, indication in ”plain language” that is ”easy to understand” and that signifies consent to the processing means:
the controller has a duty to provide the specific and linked information in the consent request to the data subject to enable the average data subject that is targeted to use that information to easily assess the effects of any consent s/he might give without ambiguity and interpretation from the information.
This understanding is also the understanding of:
“The obligation to inform is linked to consent in that there must always be information before there can be consent. Given the conceptual proximity of an internet user (and provider) to that of a consumer (and trader), one can resort at this stage to the concept of the average European consumer who is reasonably well informed and reasonably observant and circumspect and who is able to take the decision to make an informed commitment.”
In the case of cookie consent, the General Advocate in the Planet 49 case says:
“… due to the technical complexity of cookies, the asymmetrical information between provider and user and, more generally, the relative lack of knowledge of any average internet user, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies. Thus, clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.”
A rough simplification of language properties may give ideas for how to author a consent request that is understandable.
Roughly speaking, natural language can be described in four dimensions:
Understanding the correlations between the dimension pairs of a natural language may give further ideas regarding how to author a consent request so it will be understandable:
Which target language must the consent request have to be understandable?
GDPR says in GDPR Recital 39, 58 and 60 that controllers have a duty to provide data subjects with information that is understandable for data subjects.
In a literal sense, this means controllers must provide the information in the consent request in the country specific language of the data subjects.
This understanding is also the understanding of WP29 (endorsed by EDPB) in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) who says that information must be provided in the language of the target audience.
What constitutes “targeting” of data subjects in an EU State?
Watch this space for guidance !
Can multiple consent requests provided at the same time qualify the consent requests as not easy to understand?
It is questionable whether any or all of a controller’s consent requests, if they are multiple and provided at the same time to a data subject, can count as invalid due alone to the extent of information.
Can alternative representations of text language make the consent request easy to understand?
Watch this space for guidance !
Which form makes the consent request accessible?
GDPR Recital 39 and 58 say the principle of transparency requires that any information addressed to the public or to the data subject must be easily accessible”.
WP29 (endorsed by EDPB) in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) says that written information in consent requests must be accessible for vision-impaired end users (if any).
What makes information in a consent request accessible?
End user accessibility needs are needs that relate to:
Watch this space for guidance !
Is the dialogue for consent and objection to processing clearly distinguishable from other information?
GDPR Article 7.2 says:
“if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding”.
Also, when controllers base personal data processing for direct marketing purpose on consent, GDPR Article 21.4 says:
“at the latest at the time of the first communication with the data subject, the right (to object) referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”
Watch this space for guidance !
In its literal sense, “clearly distinguishable from other matters/any other information” means that what is presented as a request for consent or objection to direct marketing is without doubt recognized or identified as a consent request/objection to direct marketing with features that distinguish the consent request/objection to direct marketing from other matters.
What distinguishes the consent request/objection to direct marketing from other matters consist of how a consent request/objection to direct marketing differs with other information in the same context:
Watch this space for guidance !
Below, the internal elements of the consent dialogue will be presented.
Are the actions through which consent is granted or refused provided in the consent dialogue?
GDPR Article 4(11) says:
“consent of the data subject means any … indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
It follows that the controller has a duty to provide the consent request in a dialogue which informs the data subject about the actions through which the data subject is enabled to exercise his/her power to grant or refuse permission for the controller to process the data subject’s personal data.
On websites and apps, the actions through which the data subject is enabled to exercise his/her power to grant or refuse permission for the controller to process the data subject’s personal data are normally:
1: checkboxes, 2. buttons, or 3. switches.
Watch this space for guidance !
Must the actions to object to processing be provided in the consent dialogue?
Controllers may base personal data processing for direct marketing purpose on consent.
GDPR Article 21.2 says:
“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”
GDPR Article 21.5 says:
“In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.”
GDPR Article 21.4 says:
“at the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”
Hence, controllers have a duty to enable the data subject to object at any time by automated means to the processing of their personal data for direct marketing purposes.
Watch this space for guidance !
Is the action through which a consent can be terminated provided in the consent dialogue?
First, GDPR Article 7.3, last sentence says:
“it shall be as easy to withdraw as to give consent.”
Second, GDPR Article 7.3, 1st sentence says:
“the data subject shall have the right to withdraw his or her consent at any time.
In its literal sense, “as easy to withdraw as to give consent” means a duty for the controller to enable the data subject:
In its literal sense, “right to withdraw … consent at any time” means a duty for the controller to enable the data subject to withdraw consent at any time after giving consent including with or without any intervening time after giving consent.
Hence, the dialogue to withdraw consent:
Watch this space for guidance !
Which actions through which consent is granted or refused in the consent dialogue count as actions for valid consent?
GDPR Article 4(11) says:
“consent of the data subject means any … unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
(It should be noted that this definition is stricter than that of Article 2(h) of Directive 95/46 in that it requires an unambiguous indication of the data subject’s wishes and a clear affirmative action signifying agreement to the processing of personal data.)
The controller has a duty to use statements and/or actions that enable the data subject to grant, refuse or terminate the permission for the controller to process the data subject’s personal data, and requires both statements and/or actions to be unambiguous (GDPR Article 4(11)).
In its literal sense, a statement or action through which the data subject starts the permission is unambiguous means that the statement or action is not open to more than one interpretation and that statement signifies agreement to the processing, see WP29Opinion 15/2011 on the definition of consent
According to GDPR Recital 32, an action that affirms consent to the processing of personal data can be:
“conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”.
According to the compromise embodied in GDPR Article 4(11), the controller’s request for consent may be a request in which the data subject’s “unambiguous indication … by a statement” signifies agreement to the processing of the data subject’s personal data.
According to GDPR Recital 32, a statement that affirms agreement to the processing of personal data can be:
“a written statement including by electronic means, or an oral statement … which (when eg visiting an internet website) clearly indicates (the) context (of) the data subject’s acceptance of the proposed processing of his or her personal data”.
GDPR Recital 32 says that a statement:
“could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement”. Thus, ticking unchecked opt-in boxes counts as statements.
If a data subject does not uncheck a pre-checked opt-in tick box, then the data subject does not affirm agreement according to GDPR Recital 32, which provides that:
“pre-ticked boxes … should not … constitute consent”.
For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:
According to the compromise embodied in GDPR Article 4(11), the controller’s consent request can be a request in which the data subject’s “unambiguous indication … by a clear affirmative action” signifies agreement to the processing of the data subject’s personal data.
The literal meaning of the term “clear affirmative action” is that it is easy to understand if and how an action affirms consent to the processing of personal data.
If, on the one hand, the data subject omits to give an indication to signify agreement, then GDPR Recital 32 provides that:
“silence … or inactivity should not … constitute consent”.
Silence or inactivity has inherent ambiguity (the data subject might have meant to assent or might merely have meant not to perform the action).
If, on the other hand, the data subject acts to give an indication to signify agreement, then the controller must qualify those acts that count as acts to unambiguously (and explicitly if needed) signify agreement.
For consent to be a lawful basis for the processing of personal data under GDPR Article 4(11), the GDPR requires the explicit consent of the data subject for when the controller:
The GDPR does not define the term “explicit” consent.
In its literal sense, “explicit” means that the data subject must state his/her consent in words (whether oral or written) expressly, clearly and in detail, leaving no room for confusion or doubt.
The controller has a duty to enable the data subject to understand through which action the data subject grants or refuses permission to the controller to process the data subject’s personal data.
Similar to the requirements for the consent request itself, the controller has a duty to enable the data subject to have full knowledge of which actions that the data subject uses to grant or refuse consent (“informed” etc).
Hence, these actions must be presented in clear and plain language and in an easily accessible form (GDPR Article 7.2).
The design of the consent dialogue must not be abusive design, deceptive design (e.g. cookie loads before consent is given or loads when consent is refused), or dangerous design (e.g take it or leave it cookie wall, last minute consent in the final stages of an order).
Best in class design supports the action through which the data subject grants or refuses permission to the controller to process the data subject’s personal data with texts that state what the action of e.g. clicking a checkbox, button or switch means.
Watch this space for guidance !
Is the action to terminate consent understandable?
Please see the comments above.
Is the data subject enabled to exercise his/her power freely?
GDPR Article 4(11) says:
“consent of the data subject means any … freely given … indication of the data subject’s wishes … to the processing of personal data relating to him or her.”
In its literal sense, freely given indication that signifies consent to the processing means that the indication signifies that consent is a decision to agree that is not under the control or influence of the data controller.
Then the question arises what is a decision to agree that is not under the control or influence of the controller?
GDPR Recital 42 says:
“consent should not be regarded as freely given if the data subject has no genuine or free choice (to) consent”.
GDPR Recital 43 says:
“consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case …” (see above).
GDPR Recital 42 says:
“consent should not be regarded as freely given if the data subject … is unable to refuse … consent without detriment”.
In its literal sense, “detriment” means a cause of harm or damage. Hence, consent can be considered to be invalid if refusing consent causes harm or damage to the data subject.
GDPR Article 7.4 says:
“when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
GDPR Recital 43 says:
“consent is presumed not to be freely given … if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.
First, GDPR Article 7.4 does not apply where the performance/provision of a contract/service involves the processing of personal data that is necessary for the performance of that contract. In this case, the controller should use GDPR Article 6(1b) (contract) as legal basis instead of consent. (Note that: the necessity for performance of contract is not a legal basis for processing special categories of data!)
Second, GDPR Article 7.4 applies where the performance/provision of a contract/service involves the processing of personal data that is not necessary for the performance of that contract.
Hence, the question arises when is the processing of personal data necessary and not necessary for the performance of a contract?
According to WP29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, the term necessary for the performance of a contract needs to be interpreted strictly. There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract. WP29 says the processing is necessary in the following examples:
For consent to cookies in relation to Article 5(3) of Directive 2002/58, this is confirmed by the General Advocate in the Planet 49 case who says:
Third, in its literal sense, “utmost account shall be taken of” and “presumed” mean that conditioning the performance/provision of a contract/service on consent makes the consent invalid unless the controller can prove that consent was given freely.
GDPR Recital 43 says:
“in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation”.
WP29 says:
“consent should refer to the processing that is reasonable and necessary in relation to the purpose” and that falls “within the reasonable expectations of the data subject”, see WP29 Opinion 15/2011 on the definition of consent
A data subject’s reasonable expectations may be based on the relationship with the data controller, the legitimacy of controller’s processing purposes, whether the data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for a specific purpose may take place.
From a rights perspective, one may question whether a data subject wishes to consent to a data controller’s consent request in order to enable himself/herself to achieve the legal effect of the consent request if the consent:
The controller has a duty to provide the consent request to the data subject.
In cases where the website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to provide end users with information about:
The controller has a duty to provide the consent request to the end user and receive end user consent before personal data are processed, see Advocate General in the Fashion ID case.
The controller has a duty to receive the consent from the end user.
In cases where the website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to receive the end user consent also the 3rd party limited to all the aspects of the personal data processing operation(s) for which the joint controllers are jointly liable (which often is the collection and transmission of end user data to the 3rd party (but not further downstream).
The reasoning is that it is when a website is actually visited by an end user that the processing operation is triggered, the end user must provide the consent to the website operator.
The duty of the website operator to receive consent does not extend to subsequent stages of the data processing in which the website operator is not involved and for which it does not determine either the processing means or purposes.
The consent dialogue should link to the Privacy Policy.
The consent requests must be declared time synchronically in the Privacy Policy.
The consent requests and Privacy Policy should be version controlled and time stamped.