back button

Back

GDPR consent in practice – Part 2: Methods

December 13, 2017byJulie Tamba

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent.

How should consent be obtained?

Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.

Although the previous definition under EU law did not contain this notion of “statement or clear affirmative action“, the article 29 Working Party previously indicated in its opinion 15/2011 on the definition of consent that:

  • It should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent“;
  • The words “indication” and “signifies” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action)”.

In other words, consent necessarily implies a positive action, but which kind of positive action?

This could be an opt-in tick box, a signature, or “dropping a business card in a glass bowl“, provided it (i) can be “freely given” or refused without detriment, (ii) is “specific” to a clearly defined scope, (iii) follows an information “at least of the identity of the controller and the purposes” and (iv) qualifies as “unambiguous“.

Under such definition, acceptance of general terms and conditions, pre-ticked boxes, information with a right to oppose, or Internet browser settings that are set by default to collect data should not be considered as consent. In contrast, the article 29 Working Party confirmed – in its recent draft guidelines WP259 on consent – that “swiping on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement”.

Furthermore, in its UX guide to getting consent, the IAPP advises that a real active choice from the data subject implies to provide options which “drive a decision” and bans default options and pre-ticked boxes (be it an opt-in or an opt-out) as well as promoted choices (when the decision seems pre-ordained by colour, wording, location on the page, etc.).

Consent VS explicit consent

On the other hand, the GDPR makes a difference between “consent” and “explicit consent” (the latter being required for automatic decisions, sensitive data, and transfers).

For the article 29 Working Party and back in 2011, “explicit” (also called “express”) consent encompasses situations “where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing“; the other type of consent must be unambiguous and encompasses “actions that aim at indicating agreement.

In other words, explicit consent requires the above-mentioned “statement“ (e.g. “I agree to the processing of my data by … for …“) while unambiguous consent requires the “clear affirmative action“ (e.g. sending required data after information on how it will be processed). This was confirmed in December 2017 by the same article 29 Working Party which specified that in a digital context, a person could issue such statement “by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature“.

The case of browsing

In a decision 2013-378 related to cookies, the French Data Protection Authority considered that clicking on an element of a website – after being informed that such act means consent to the installation of cookies on its device – constitutes an unambiguous consent.

This situation deserves some insight as it raises a number of questions.

Will this option still be considered as a clear affirmative action under the GDPR? Clicking on the website certainly is a positive action, but does it affirm the fact that the data subject agrees to the installation of cookies or simply that he wants to access the content of the website? This is even more paradoxical if one considers that to access the website without installation of cookies, a data subject must, in reality, take a positive action to refuse cookies by configuring its parameters or opting out accordingly before browsing.

Given the fact that the definition of consent did not change so much under the GDPR, previously adopted solutions could – theoretically speaking – not evolve. It may also be noted that while the first version of the GDPR adopted by the EU parliament on 12 March 2014 mentioned in §25 of its preamble that “Silence, mere use of a service or inactivity should therefore not constitute consent“, the wording “mere use of a service“ became “pre-ticked boxes“ in the final version and hence left the door open for browsing to be considered as consent.

Yet it seems that Data Protection Institutions will close this gap. For example, the UK Data Protection Authority – in its guidance on consent dated March 2017 – clearly mentioned that “all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent“.

More importantly, the article 29 Working Party indicated – in its draft guidelines WP259 on consent – that:

  • “‘regular’ consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC“;
  • Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice“;
  • Scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent) will not satisfy the requirement of a clear and affirmative action”.

Moreover, certain practical elements may lead entities to modify their current habits:

  • the necessity to demonstrate consent to the authorities (which may prove technically difficult where the user simply clicked on the website);
  • the requirement that it shall be as easy to withdraw as to give consent (how can withdrawal of consent be as easy as scrolling down ?) ;
  • the necessity to obtain a consent prevailing over existing privacy settings gathered by browsers (the article 29 Working Party indicated in its opinion 1/2017 that “Implicit types of ‘consent’, such as a click on the website or scrolling of the page, cannot override choices with regard to storage and the DNT signal”).

Of course, as business teams generally deal much better with tacit acceptance than with active acceptance, this will most likely create some tough choices in certain sectors.

Related articles

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data

December 12, 2017byJulie Tamba

GDPR consent in practice – Part 1: Opportunity

As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent. When should consent be obtained? It is important to underline that,…

Read more

Consent

GDPR

Opportunity

personal data

December 5, 2017byJulie Tamba

Does collecting user geolocation require consent?

Collecting geolocation is a tricky topic in data privacy regulations. As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on…

Read more

Consent

ePrivacy

European Union

GDPR

Geolocation

personal data

November 30, 2017byJulie Tamba

Privacy Impact Assessment in a nutshell

The French Data Protection Authority — called in short the “CNIL” — has just released on 22 November 2017 a free tool to assist companies in the process of conducting a Privacy Impact Assessment. This initiative happens in the context where the deadline for implementing the GDPR is close (May 2018) and companies are still struggling to make compliance…

Read more

European Union

GDPR

personal data

PIA

Privacy Impact Assessment

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers