For more general information about what the GDPR says, read our article, “ What is the GDPR?” It provides a conceptual overview of the law. We also have published the full text of the GDPR.
“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis,” the GDPR explains in Recital 40. In other words, consent is just one of the legal bases you can use to justify your collection, handling, and/or storage of people’s personal data. Article 6 states five other justifications.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Now that you have a definition, let’s unpack some of these concepts.
The one exception is if you need some piece of data from someone to provide them with your service. For example, you may need their credit card information to process a transaction or their mailing address to ship a product.
Recital 43 discusses freely given consent. It explains that you must get separate consent for each data processing operation. So if you want their email address for marketing purposes and their IP address for website analytics purposes, you must give the user an opportunity to confirm or decline each use.
“The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.” It should be clear what data processing activities you intend to carry out, granting the subject an opportunity to consent to each activity.
In the email address and IP address example, you can’t explain these uses as part of a single, long paragraph detailing the operations of your marketing team, with a single consent checkbox at the end. Instead, you must explain each data use case separately, giving data subjects an opportunity to consent to each activity individually.
If you have more than one reason to conduct a data processing activity, you must obtain consent for all those purposes. So if you store phone numbers for both marketing and identity verification purposes, you must obtain consent for each purpose.
Informed consent means the data subject knows your identity, what data processing activities you intend to conduct, the purpose of the data processing, and that they can withdraw their consent at any time.
It also means that the request for consent and the explanation of the data processing activities and their purpose are described in plain language (“in an intelligible and easily accessible form, using clear and plain language”). That means no technical jargon or legalese. Anyone accessing your services should be able to understand what you’re asking them to agree to.
The Google case offers an instructive real-world example. The French authorities said the company did not meet the requirements of informed consent:
The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations … and therefore of the amount of data processed and combined.
The British Information Commissioner’s Office provides further context: “If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse — for example, the use of double negatives or inconsistent language — will invalidate consent.”
Unambiguous consent “could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”
However, a data subject has the right to withdraw consent at any time. Moreover, you must make it easy for them to do so. In general, it should be as easy for them to withdraw consent as it was for you to obtain consent.