In the “me too” era we all know that consent is a must to have and prove, and it’s no different for processing personal data.
Definition of Consent
The Merriam Webster Dictionary explains the term ‘consent’ as “compliance in or approval of what is done or proposed by another.” So, in the privacy context that would mean you need to explain first to your data subject what personal information of them you would like to process and for what purpose, what third parties you might share the data with, how long you’ll store it, etc.. Then you ask for consent for the aforementioned.
What does the GDPR say about consent?
The GDPR states 6 bases for processing personal data lawfully. You must have at least one of these bases covered, or else you cannot process the personal data.
One of the bases is ‘consent’. Data subjects must have given consent to the processing of their personal data for one or more specific purposes. That means that when you ask for consent you need to provide information about what you’re going to use their data for. And, hopefully this speaks for itself, you cannot use/process the data for any other purpose than what was agreed upon.
So what are the rules of consent?
- The burden of proof lies with you as controller. If you ask a data subject for consent you will need to store that consent information carefully. This is mandatory to prove that you are lawfully processing the data. If you buy data you must also makes sure that the seller has consent. My advice is to get it in writing from the seller. Also, when approaching the data subject, of whom you did not directly get the personal data from yourself, you must mention the source from where you got the data so that the data subject can contact that party in case they decide they don’t want it to be used anymore, but we’ll discuss revoking consent further in point 3.
- Granular consent is a must. This means that you cannot have those large paragraph texts with multiple questions and just one tick box. For instance: “You agree to our terms and conditions AND you consent to us processing your data AND you will subscribe to our newsletter, AND….”. No, you must mentioned separately and in clear language what you are going to do with the personal data, whom you’re going to share it with, etc.
- The consent-giver can taketh away. A data subject can always withdraw their consent. I’ve written a Dutch blog post regarding a schoolchild who as a tween revoked its (keeping gender neutral for privacy purposes) consent 10 years after the publishing of an interview it had done as a child. It took some effort to anonymize the interview and to delete it from Google’s cache memory. But within a week it was fixed to everyone’s delight. Another example: I’ve also had a client that was in the unfortunate situation where they had posted a video online with it’s employees, and, you guessed it, a former employee withdrew his consent. The video, that was still being used as promotional material (and cost a few bucks) could not be used at all because the way they had set it up and edited it, they could not solely delete the part with the particular data subject. So, if you’re thinking about creating a video like this, always keep in mind the possibility of a withdrawal – a voice over would have been a better solution than having people speak in the video. That way you can re-edit the visual work and if necessary, adjust the voiceover. But minimal work, compared to the above.
- The consent has to be freely given. You’d think that was self-evident, but then hey, we wouldn’t need a ‘me too’- movement would we. So, back to the privacy context: you need to make sure that consent isn’t forced upon another. An example in the workplace could be that using photos of employees for an intranet site. If the manager asks someone and they don’t consent but then other employees, or the manager him-/herself becomes difficult or pressures the employee, it isn’t considered freely given and is in fact considered an unlawful process. If this employee makes a complaint to a data authority, who knows what the consequences would be. Either way, not worth the risk I’d say, so play by the rules. Explain to the data subject that they have the right to not consent and that there are no penalties or negative consequences if they decide not to give consent. Also inform them about their right to withdraw their consent later on.
Tick boxes and Opt-ins
Opt-in means that someone has to actively choose to give consent. If you have a pre-ticked box that means they didn’t actively consent, and further processing of the data is considered unlawful and could result in penalties. Pre-ticked boxes are major no-no’s! I suppose I shouldn’t be surprised still seeing so many pre-ticked boxes everywhere, but I am. So be warned, no pre-ticked boxes, repeat after me: no pre-ticked boxes! And feel free to complain and/or inform websites/organizations who still use them.
Would you like to learn more about consent and other privacy & risk related subjects? Sign up now for the 60 Day Privacy & Risk Challenge(starts February 3rd via LinkedIn)