Perhaps one of the more interesting restrictions that GDPR places on websites is that the law, by default, prohibits the collection, use, and disclosure of personal data. The only way to lawfully process personal data under GDPR, if this law applies to you, is via an exception, otherwise known as the legal bases for processing data. In this article, we will discuss how to process data under the consent legal basis, as it is the most commonly used exception by business websites.
Table of Contents
How does GDPR define consent?
GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.” As you can see, this definition has quite a few elements and each element must be properly met for consent to be a valid legal basis under GDPR. Below is a description of each of these elements and how websites and business owners who collect personal data can meet them.
For consent to be valid, the individual must have a real choice as to whether or not to allow the processing of their personal data. The following are a few examples of circumstances where individuals are not provided with a free choice:
- Individual feels compelled to consent;
- Individual will endure negative consequences if they do not consent;
- Consent is bundled up as a non-negotiable part of Terms of Service;
- Individuals are unable to withdraw consent without detriment.
GDPR also prohibits the bundling of consent with Terms of Service, a contract or the provision of a particular service, where consent is not necessary to perform that contract or service. For example, you cannot force an individual to consent to the use of their email for promotional emails by making it a requirement for purchasing a new computer. While GDPR does provide for the performance of a contract as a legal basis for processing data, consent and contracts cannot be bundled together – you must pick one or the other as your legal basis.
To be freely given, consent has to be granula, meaning that you should obtain consent for each purpose that you will use the personal data for. You should make a list of the purposes that you will be using data for, separate those purposes and obtain consent for each purpose.
Since the individual agrees to each purpose that their data will be processed for, such purposes must be specific for consent to be a valid legal basis under GDPR. You should specifically define each purpose for which you will use data. Consent must be specific so that there is no “scope creep”, or gradual widening of how data is used after the initial consent is obtained. If you determine that you need to use the data for a new purpose, you must obtain consent for the new purpose prior to using the data in a new way.
- Your identity;
- The purpose of each of the processing operations for which consent is being sought;
- What data will be collected and used;
- The fact that the individual can withdraw consent at any time;
- Information about the use of data for automated decision-making; and
- Information on the possible risks of data transfers to countries without an adequacy decision and of appropriate safeguards.
Unambiguous indication of wishes
GDPR states that the consent legal basis must be based on an unambiguous indication of the wishes of the individual for his or her personal data being processed. This indication must take place via the means of a statement or by clear affirmative action. This means that you must be able to show that the individual actually agreed and silence, pre-ticked boxes, and inactivity are insufficient to show consent. While checking a box is a valid way to gain consent, under no circumstances should you pre-tick a box as there is no way to show that the individual actually agreed when using this practice.