Consent: When? Why? How?
Are you suffering from consent confusion? When must we rely on it? When is it not a good idea? And what must we do to make sure our consent is valid?
Here’s a short refresher to dispel the myths and a quick ‘consent checklist’ to make sure you are ticking all the right boxes!
For starters, one of the biggest myths surrounding GDPR (fuelled by news stories back in 2018) is that we need consent do almost anything with people’s personal data.
Simply not true.
Consent is one lawful basis, there are others
Consent is just one of six lawful basis. They are all equal, no one basis is better than another and you need to pick the right one for what you are doing.
Yes, sometimes consent is required by law for certain activities, but for many others a different lawful basis may be more appropriate.
But you do need to pick one. Data protection law across the EU and UK requires us have a lawful basis for processing personal data.
(By processing we mean doing anything with people’s personal information – from collecting, storing, sharing and even the action of deleting it).
GDPR raised the bar on what constitutes valid consent
GDPR defines consent and says it must be, “freely given, specific, informed and unambiguous” and must be given by a “clear affirmative action by the data subject”.
This means you need to clearly tell people what they are consenting to and they need to take an action to give their consent. And consent shouldn’t be bundled up with providing another service or with T&Cs.
Just to be clear, the rules for consent under UK GDPR as the same as for EU GDPR. (See UK data protection and ePrivacy law post-Brexit).
When is consent the right lawful basis?
Consent is most appropriate to use when you can offer people a clear choice and give them control over how you use their data. If you can’t do this, you should look to rely on another lawful basis.
When is consent legally required?
There are some circumstances when the law tells us we must gain consent. Let’s take a look…
In specific situations you need consent to send marketing emails or SMS messages under the UK’s Privacy and Electronic Communications Regulations (PECR).
This is where things can get a bit nuanced. Consent is not always legally required for all marketing emails/SMS. There are choices you can make.
For example, there’s a specific exemption for existing customers (known as the ‘soft opt-in’) and more relaxed rules for business-to-business marketing. For more detail see Understanding email marketing rules.
There are also circumstances in which you will need consent for telemarketing calls. See the ICO’s Guide to PECR.
You need consent to place cookies or other online tracking methods on people’s devices (unless those cookies are ‘strictly necessary’). Or to install apps or software on people’s devices.
The ICO has confirmed such consent needs to meet the UK GDPR standard, and that cookies used for analytics, performance or marketing are NOT strictly necessary. See the ICO’s cookie guidance.
3. Special category data
If you are intending to handle special category data, for example health data on individuals, you may need to seek explicit consent to make sure this is lawful. This is unless you can rely on another specific legal condition.
GDPR requires you to have a lawful basis for processing special category data PLUS a specific condition under Article 9.
Special category data is information relating to someone’s health, race, ethnicity, political opinions, religious beliefs, trade union membership, sex life, sexual orientation and covers genetic and biometric data.
A word of caution here, if you’re using special category data for direct marketing or profiling purposes, you’ll need explicit consent.
4. If no other lawful basis applies
As you must have a lawful basis for each processing activity you undertake, if no other lawful basis obviously applies, you will need to obtain consent. Here are a couple of examples:
- If someone would not expect you to be sharing their data with another organisation, it’s likely you would need to collect their consent to do so.
- If you are planning to use someone’s data for a completely different purpose, which you didn’t tell them about when you collected their data, you are highly likely to need to collect their consent unless another lawful basis applies (e.g. its needed to meet a legal obligation).
You also need to consider other factors, such as if you are requesting consent for another organisation it must be separate and they should be named. Also consent doesn’t last for ever and should be refreshed (especially if anything changes).
If you offer online services which are likely to be accessed by children, you also need to consider whether you will need to seek parental consent and/or implement age verification measures. (See New Children’s Code: Does it apply to your business?
When is consent not a good option?
Consent will clearly not be the best approach if you will struggle to meet the requirements.
You should be careful about using consent where there’s likely to be an imbalance of power. In other words, where people might feel they have to give their consent.
This makes consent tricky if used by a business for purposes relating to their employees. Perhaps staff may feel a degree of pressure to give their consent, or feel they will be penalised in some way or treated differently if they refuse.
Saying this, sometimes there seems little option but to rely on an employee’s consent. I know a number of organisations using explicit consent for their diversity monitoring, which clearly entails special category data.
Consent isn’t easy
Collecting valid consent and meeting all the requirements may feel like a bit of a minefield. It does mean you need to take careful decisions. It’s worth double checking what risks may be lurking.
However, it is worth getting right, in the words of the ICO, “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
A final word of caution; be careful not to try and shoe-horn your activities into another lawful basis (such as legitimate interests), when consent really would be the most appropriate approach.
Philippa Donn, March 2021
Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.