Yesterday the ICO published its much anticipated guidance on consent under the GDPR for public consultation. This is a key practical area of compliance for all businesses. The new test for consent under the GDPR is higher than under the current rules and the penalties for failing to obtain valid consent potentially much harsher; organisations will need to review their data collection notices and opt ins and potentially make changes to websites and apps to ensure they are compliant by May 2018.
The guidance sits alongside the ICO’s Overview of the GDPR and explains its recommended approach to compliance and what counts as valid consent. On the tricky issue of verifiable parental consent to children’s use of social media, the ICO has promised further guidance at a later date.
The consultation will run from now until 31 March 2017, and any comments on the guidelines should be sent to firstname.lastname@example.org via this form. The ICO then aims to publish this guidance by May 2017.
Datonomy will be providing a fuller analysis in the near future; for now, here is a snapshot of some of the key issues covered.
How should you write a consent request?
Article 7 (2) of the GDPR requires that if a data subject’s consent is to be given in the context of a written declaration which also concerns other matters, the request for consent shall be presented “in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language“.
The guidance expands on this stating that you should:
- Keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
- Use clear, straightforward language;
- Adopt a simple style that your intended audience will find easy to understand – particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
- Avoid technical or legal jargon and confusing terminology;
- Use consistent language and methods across multiple consent options; and
- Keep your consent requests concise and specific, and avoid vague or blanked wording.
What information should you include?
In order to meet the GDPR’s Article 4 (11) definition of consent being “freely given, specific, informed and unambiguous”, you must as a minimum include:
- The name of your organisation and the names of any third parties seeking to rely on the consent – consent for categories of third-party organisations will not be specific enough;
- Why you want the data (the purposes of the processing);
- What you will do with the data (the processing activities); and
- That people can withdraw their consent at any time. The guidance states it is good practice to tell users how to withdraw consent.
The guidance highlights the issue of how to ensure consent is specific enough while making it concise and easy to understand. It explains that in practice this means that you may not be able to obtain blanket consent for a large number of parties, purposes or processes. This is due to the likelihood that you will be unable to provide prominent, concise and readable information that is also specific and granular enough.
What methods can you use for obtaining consent?
Whichever method is used it must be an “unambiguous indication by a clear affirmative action”, in accordance with Article 4 (11). Therefore you must ask people to actively opt in.
The guidance gives the following examples of active opt-in mechanisms:
- Signing a consent statement on a paper form;
- Ticking an opt-in box on paper or electronically;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request; and
- Volunteering optional information for a specific purpose – e.g. filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.
What is a just-in-time notice?
The guidance describes a just-in-time notice as a method for obtaining consent whereby a notice will appear on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. Such notices would need to be combined with an active opt-in and ensure that this is not ‘unduly disruptive’ to the user.
As the GDPR does not specifically ban opt-out boxes, can I still use them?
No, the guidance equates opt-out boxes with the banned pre-ticked boxes, as both methods bundle up consent with other matters by default, and then rely on inactivity.
Do I need to force people to create user accounts and sign in just so I can obtain verifiable consent?
Again no, the guidance instead proposes, by way of example, linking consent to a temporary session ID. Then once the session ends and the link between the user and session is lost, you would need to seek fresh consent each time the user returns to your website.
Datonomy will continue to track the progress of this important guidance.