Consent Under GDPR And ePrivacy

Under GDPR, a consent has to be informed and given freely. That means, that the data subject must have an informed choice as to whether the data processing will take place or not. Furthermore, a consent has to be concrete. General or broad consents do not constitute an effective consent. Additionally, GDPR requires a consent to be explicit: the data subject has to consent actively – pre-ticked boxes and similar circumstances would make a given consent not binding under GDPR.

GDPR also manifests the obligation to offer the possibility to withdraw the consent at any time. Taking it even further, the withdrawing has to be as easy as it was to give consent. Prior to giving the consent, the data subject has to be informed thereof. The toughest requirement comes with Art. 7 (1) GDPR, which puts the controller under the obligation to proof that consent was given. That entails proving that it was given informed, freely, concrete, explicit as well as obtained prior to the data processing (if the legal basis for processing is consent). This obligation inevitably leads to Consent Management in some form.

Any consent given by data users must be informed, meaning that controllers must provide information to data subjects before obtaining their consent. This is important because users must be able to understand what they are agreeing to by consenting.

There are no precise rules about the form and shape of the information given, so it can be given for example by audio or video messages and not necessarily in text. The information must however be in clear language that is understandable to the average person, and cannot be hidden away in general terms and conditions.

Guideline minimum requirements for the content of information given to data users are as follows; the controller’s identity, the purpose of each of the processing operations for which consent is sought, what (type of) data will be collected and used, the existence of the right to withdraw consent, information about the use of the data for automated decision-making where relevant, and on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards.

The controller must also adjust the information according to the targeted audience. For example, if the audience includes underage users, the controller must make sure that the information is understandable for minors.

In order for consent to be given in compliance with the GDPR the data subject must be given control over his or her consent, a choice between accepting or declining the terms, as well as be able to decline the offered terms without risk of detriment.

A given consent is invalid if the data subject felt compelled to consent or risked suffering negative consequences by not consenting. Consents that are part of non-negotiable terms and conditions are also invalid. In these circumstances, consent is not considered freely given.

Because of the imbalance of power, it is unlikely that public authorities or employers interacting with employees can use consent as a basis for processing personal data. Certain circumstances might still enable consent to be used in these situations.

In certain situations, such as when there is serious risk to data protection, explicit consent is required. In these cases, a higher bar is set for giving consent – for example, explicit consent could be given with a signed written statement. However, this is not the only possible way of obtaining explicit consent, and it can be done in many different forms.

The consent given by the data subject must be given through an active motion or declaration – it must be obvious that the user has consented to the particular processing. However, there are no precise requirements for the form and shape of the consent, and the consent can be done for example in the form of an oral recorded message or by sliding a bar across a screen.

The data user must be able to withdraw their consent at any time, and withdrawing the consent can be no more difficult for the user than it was to initially give the consent. Users must be able to withdraw their consent on the same electronic interface as where the consent was given, and without charge or lowered service levels.

The controller must be able to demonstrate any data subject´s consent, meaning that they must be able to prove that the user gave consent to the data processing.

The new ePrivacy regulation is set to come into effect in 2019, and is meant to update the existing ePrivacy legal framework of the EU. The regulation aims to protect the security and confidentiality of electronic communication.

The ePrivacy regulation refers to the definition of consent given in the GDPR, and for this reason the requirements for a consent to be valid are the same in the ePrivacy regulation as in the GDPR.

The GDPR considers any information concerning an identifiable natural person to be covered by the principles of data protection, so when cookies are used to identify internet users, this is considered processing of personal data and falls under the scope of the regulation.

Since the rules of the GDPR applies to the use of cookies, it means that:

• Users must consent to the use of cookies, and the consent must be GDPR-compliant. The user´s clear and affirmative action is required in order to legally consent. Websites can no longer show banners saying that by continuing to visit their website, users agree to the use of cookies.
• Users must be able to withdraw their consent to the use of cookies, and withdrawing consent can be no more difficult than giving the consent was.
• Websites need legal ground for the use of cookies.
• Information about the cookies must be given prior to consent, and the information must be in a clear language that is accessible and easily understandable to the average reader. The information should contain the identity of the controller, the purposes of the personal data processing, a notice on risks, rules, safeguards and rights in relation to the processing of personal data.

When the ePrivacy regulation comes into effect, it will have precedence over the GDPR when it comes to rules regarding cookies. The ePrivacy regulation stipulates that cookies can not be set before the user has consented to it, and refers to the GDPR´s definition of consent. This means that internet users will need to give unambiguous consent to cookies.

• The use of cookies requires unambiguous and freely given consent, meaning that users must consent to the cookies through clear affirmative action. Clear affirmative action could be given for example by requiring users to actively select that they agree to the use of third party cookies by clicking a button.
• No cookies can be dropped before the user has given consent.
• Users must be able to withdraw their consent to the use of cookies at any time, and withdrawing the consent must be as easy as it was to give.
• Information about the cookies must be given prior to consent, and the information must be in a clear language that is easily understandable to the average reader.
• Cookies that concern strictly non-personal information will be exempted from the rules about cookies in the regulation.
• Device fingerprinting will be covered by the rules on cookies. Device fingerprinting is a process where internet users can be identified based on their device or browser configuration, without the use of cookies.

Usercentrics GmbH does not provide legal advice. The contents of the above article are not to be understood as legally binding. The article constitutes the opinion of Usercentrics.