GDPR consent in practice – Part 2: MethodsDecember 13, 2017byJulie Tamba
After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent.
How should consent be obtained?
Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.
Although the previous definition under EU law did not contain this notion of “statement“ or “clear affirmative action“, the article 29 Working Party previously indicated in its opinion 15/2011 on the definition of consent that:
- “It should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent“;
- “The words “indication” and “signifies” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action)”.
In other words, consent necessarily implies a positive action, but which kind of positive action?
This could be an opt-in tick box, a signature, or “dropping a business card in a glass bowl“, provided it (i) can be “freely given” or refused without detriment, (ii) is “specific” to a clearly defined scope, (iii) follows an information “at least of the identity of the controller and the purposes” and (iv) qualifies as “unambiguous“.
Under such definition, acceptance of general terms and conditions, pre-ticked boxes, information with a right to oppose, or Internet browser settings that are set by default to collect data should not be considered as consent. In contrast, the article 29 Working Party confirmed – in its recent draft guidelines WP259 on consent – that “swiping on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement”.
Furthermore, in its UX guide to getting consent, the IAPP advises that a real active choice from the data subject implies to provide options which “drive a decision” and bans default options and pre-ticked boxes (be it an opt-in or an opt-out) as well as promoted choices (when the decision seems pre-ordained by colour, wording, location on the page, etc.).
Consent VS explicit consent
On the other hand, the GDPR makes a difference between “consent” and “explicit consent” (the latter being required for automatic decisions, sensitive data, and transfers).
For the article 29 Working Party and back in 2011, “explicit” (also called “express”) consent encompasses situations “where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing“; the other type of consent must be unambiguous and encompasses “actions that aim at indicating agreement“.
In other words, explicit consent requires the above-mentioned “statement“ (e.g. “I agree to the processing of my data by … for …“) while unambiguous consent requires the “clear affirmative action“ (e.g. sending required data after information on how it will be processed). This was confirmed in December 2017 by the same article 29 Working Party which specified that in a digital context, a person could issue such statement “by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature“.
The case of browsing
In a decision 2013-378 related to cookies, the French Data Protection Authority considered that clicking on an element of a website – after being informed that such act means consent to the installation of cookies on its device – constitutes an unambiguous consent.
This situation deserves some insight as it raises a number of questions.
Given the fact that the definition of consent did not change so much under the GDPR, previously adopted solutions could – theoretically speaking – not evolve. It may also be noted that while the first version of the GDPR adopted by the EU parliament on 12 March 2014 mentioned in §25 of its preamble that “Silence, mere use of a service or inactivity should therefore not constitute consent“, the wording “mere use of a service“ became “pre-ticked boxes“ in the final version and hence left the door open for browsing to be considered as consent.
Yet it seems that Data Protection Institutions will close this gap. For example, the UK Data Protection Authority – in its guidance on consent dated March 2017 – clearly mentioned that “all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent“.
More importantly, the article 29 Working Party indicated – in its draft guidelines WP259 on consent – that:
- “‘regular’ consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC“;
- “Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice“;
- “Scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent) will not satisfy the requirement of a clear and affirmative action”.
Moreover, certain practical elements may lead entities to modify their current habits:
- the necessity to demonstrate consent to the authorities (which may prove technically difficult where the user simply clicked on the website);
- the requirement that it shall be as easy to withdraw as to give consent (how can withdrawal of consent be as easy as scrolling down ?) ;
- the necessity to obtain a consent prevailing over existing privacy settings gathered by browsers (the article 29 Working Party indicated in its opinion 1/2017 that “Implicit types of ‘consent’, such as a click on the website or scrolling of the page, cannot override choices with regard to storage and the DNT signal”).
Of course, as business teams generally deal much better with tacit acceptance than with active acceptance, this will most likely create some tough choices in certain sectors.