‘Active’ Opt-in is a near certainty – but how can obtaining ‘granular’ consent be achieved in a clear and concise manner? Will there really be no ‘grace’ period after 25 May 2018, and will third parties definitely need to be named?
The ICO’s consultation on its draft Consent Guidance has closed, and the Regulator is now sifting through more than 300 responses (pushing back publication of its final version to June). In a move that may alarm those seeking firm guidance, this timescale comes with the caveat that it “may be affected by developments at European level.”
The Regulator took a robust stance in its draft, will they now bow to pressure?
There are clear areas where it will have been strongly highlighted to the ICO that their approach may be impractical to implement. What changes can we expect, if any?
The words ‘unambiguous’ and ‘clear affirmative action’ in the GDPR’s definition of Consent are clearly interpreted by the ICO to mean an active opt-in. The draft guidance states: ‘consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.’
It’s doubtful the Regulator will budge from this position, and a more relaxed approach is unlikely at a European level. However, the stance has not gone unchallenged. In particular, the Direct Marketing Association has said, ‘we would like further clarifications on this point and whether implied consent should be permitted.’
When it comes to legacy data which does not meet GDPR consent requirements and any potential ‘grandfathering’, the Regulator has been no less hard-hitting. The ICO’s Head of International Strategy & Intelligence, Steve Wood, has said, ‘will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.’ This has again been challenged, presenting as it does a herculean task for many organisations. Will the ICO undertake a Theresa May style U-Turn here?
Areas where the ICO may perhaps be more willing to tweak its stance surround ‘granular’ consent, and the requirements to name third parties with whom data may be shared with.
The draft guidance states; ‘give granular options to consent separately to different types of processing wherever appropriate.’ However, in practice this could lead to unnecessarily complex consent statements and surely goes against the very essence of the GDPR, which emphasises the requirement to make information notices clear and concise.
‘Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.’
The above statement in the draft guidance sent a shock-wave through organisations who share data, even when subsequently challenged by delegates at the ICO’s Data Practitioner’s Conference, the message was clear; third parties must be specifically named. But in practice naming every third party data may be shared with will prove incredibly difficult and impractical for organisations to do, especially when third party lists may regularly change and evolve.
Surely if an individual is presented with a third-party opt-in statement (with sectors transparently provided), this would be sufficient for them to make an informed choice?
So far, the UK Regulator has steered clear of mentioning the ‘soft opt-in’ exemption, which for many organisations is critical. The final rules on this are hotly awaited in the final text of the new e-Privacy Regulation, expected in the Autumn and due to be implemented in line with the GDPR on 25 May 2018. The proposed Regulation will replace the 2002 ePrivacy Directive (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR).
Is Consent the only way?
The ICO is keen to stress that Consent is only one of six legal grounds for processing under the GDPR, and that where individuals can’t be given a clear genuine choice, organisations should consider using another basis, for example Legitimate Interests. Different legal grounds may be most appropriate for different processing activities, but in considering the potential options organisations should be aware all have conditions that must be met under GDPR.