On March 2, 2017, the UK Information Commissioner’s Office (“ICO”) published draft guidance regarding the consent requirements of the EU General Data Protection Regulation (“GDPR”). The guidance sets forth how the ICO interprets the GDPR’s consent requirements, and its recommended approach to compliance and good practice. The ICO guidance precedes the Article 29 Working Party’s guidance on consent, which is expected in 2017.
The ICO guidance emphasizes that the GDPR sets a high standard for individuals’ consent. For organizations to be able to rely on consent as a legal basis for processing, and for that consent to be valid, it must be:
- Unbundled: Consent requests must be separate from other terms and conditions.
- Active: Consent can only result from a clear statement or affirmative action of an individual’s wishes; pre-checked opt-in boxes are invalid and, although the ICO does not completely rule out implied consent in specific circumstances, “opt-out is not consent.”
- Granular: The controller must provide granular options for obtaining consent separately for different processing operations and different purposes.
- Named: Organizations and any third parties who will be relying on consent must be named in the notice – pursuant to the guidance, even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
- Documented: Controllers must keep records to demonstrate what the individual has consented to, including what they were told in privacy notices or policies existing at the time of consent, and when and how they consented.
- Easy to Withdraw: Controllers must tell individuals that they have the right to withdraw their consent at any time, and how to do this with simple and effective withdrawal mechanisms.
- No Imbalance in the Relationship: Consent cannot be freely given if there is an imbalance in the relationship between the individual and the controller. This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
In providing guidance on the meaning of the term “unambiguous consent,” the ICO has stressed that consent must be demonstrated through a clear, affirmative act. Silence, pre-ticked boxes and inactivity do not represent consent. The affirmative act can be expressed in a written or oral statement, by electronic means, by ticking an opt-in box, by choosing a technical standard, by switching the technical standard from default or by another statement or act which clearly indicates acceptance. The ICO accepts that there may be implied consent in some circumstances, such as when an individual drops a business card to participate in a contest, or by submitting an online survey. The actual act signifies consent to that specific processing of data for these limited purposes.
“Explicit consent” in the GDPR represents an even higher standard than unambiguous consent. It must be separate from any other consents and must be expressly confirmed through the use of words. Explicit consent must specifically refer to the element that requires consent to be explicit (e.g., to sensitive data that is processed or to data transferred outside the EU, along with the underlying risks of the transfer).
Through the guidance, it is clear that the ICO sees consent as a dynamic concept that evolves over time and that is best managed in a proactive way. In addition to keeping a detailed record of consent, controllers are encouraged to ensure ongoing management of consents, choices and controls through privacy dashboards and similar preference and permission management tools. These should include mechanisms for withdrawal of consents and a general “any time opt-out.” In addition, the ICO recommends that controllers review and refresh consents, especially as processing operations and the purposes of processing evolve. In any case, controllers should offer a specific opt-out automatically every two years in reply to individuals with whom they have contact and send occasional reminders about the ability to withdraw consent. The ICO makes it clear that consent will be an appropriate legal basis only where (1) there is a real choice for individuals, (2) the individuals have ability to exercise actual control over data use and (3) it fulfills all of the GDPR’s requirements. If these conditions are not met, the ICO advises controllers to seek an alternative legal basis for their processing activities.
The ICO’s guidance is subject to public consultation until March 31, 2017.