BBB National Programs Insights
Consent under the GDPR
This post is part of a series directed to U.S. companies seeking to align their privacy practices with the GDPR. Note that many best practices described in this post do not correspond with specific requirements for data transfers under Privacy Shield. Please see a data privacy attorney for advice about any specific compliance obligations for your particular data processing operations.
Processing of personal data takes many forms. At times, the entire point of the service that a business provides requires the business to process its customers’ personal data. If someone orders a pair of shoes online, the business must receive and process the person’s physical address in order to complete the delivery. Thus, for the purpose of order fulfillment, the collection and processing (and perhaps even sharing with shipping providers) of the person’s physical address is necessary. Perhaps in a soft sense of “consent,” such a transaction involves the consent of the consumer. After all, the consumer has entered into a bargain with the company knowing full-well, given the context of an online buyer-seller relationship, that the business will need to process his or her address.
Legal consent under the GDPR is something else entirely. Consent in this context cannot be implied. It is explicit, affirmative, opt-in permission to process the subject’s personal data. This stronger version of consent is, of course, often not required to process data legally—a point that many commentators gloss over. It would seem impracticable, and perhaps absurd, to require a consumer to check a box next to the words “I consent to your collection and use of my physical address for purposes of delivering my shoes.” It may seem much more appropriate, however, to get such a consumer’s affirmative consent to process her address for purposes of ongoing marketing communications.
Even though GDPR-style consent is often not legally required, it is important to understand what it looks like as you design and assess internal privacy processes. Here are the highlights:
- Consent is granular. For consent to be valid, the data subject must affirmatively opt in to the sharing of their data for a particular purpose. Describe with specificity why you are collecting the data and what you are going to do with it. Be as granular in your controls as possible, allowing data subjects to opt in separately to separate data collections, purposes, or types of processing to which they could have different privacy preferences. Provide the name of your organization and those of any other controllers that will rely on the consent.
Ask yourself: when the consumer said “yes” did she understand what I could do with her data?
- Consent is ongoing. A person’s consent to processing is a living thing, constantly subject to withdrawal. This is because the GDPR guarantees a right to withdraw consent to processing. Much of the confusion about consent under GDPR stems from this single point. If consent withdrawal doesn’t make sense in the context of the purpose for which you are processing the data, consent is probably not the best legal basis for your processing.
Ask yourself: can the consumer change his mind?
- Consent must be informed. Design your consent mechanism to be “an intelligible and easily accessible form, using clear and plain language.” Make it prominent and do not bundle it with other terms and conditions.
Ask yourself: will a reasonable consumer really understand what will happen to her data?
- Consent requires an action. Data subjects must say or do something (“a statement or a clear affirmative action”) to signal their consent. You should design your opt-in mechanism to leave no room for ambiguity. This can mean that consumers check a box, apply certain technical settings, or any other action that is clear and unambiguous. Provide consumers with a legitimate choice.
Ask yourself: if the consumer does nothing, takes no affirmative action, may I process his data?
When do I need consent under the GDPR?
- Most types of personal data. For non-sensitive types of data, consent is merely one possible legal justification for processing. Whether consent makes sense depends on a number of factors, not least of which is whether you can provide a meaningful means for the data subject to withdraw the consent. If not, it may be best to look to other bases for processing data for that purpose.
- Special categories of data. Article 9 requires that consent be obtained (or one of the other Article 9 conditions apply) for any processing of its listed special categories of data.
- Children’s data. If you rely on consent as your lawful basis for the processing of children’s data, the GDPR requires that you obtain the consent from a parent or legal guardian.
When do I need consent under Privacy Shield?
The provision of notice and opt-out choice are usually sufficient to transfer data to a participating Privacy Shield company in the U.S. However, certain types of processing of sensitive information may require opt-in consent. Under the Privacy Shield Frameworks, sensitive information includes “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.”
- Disclosing sensitive data to a third party. You need opt-in consent before you collect sensitive information from a data subject if you plan to disclose the sensitive information to a third party. (Consent may not be required if one of the exceptions applies.)
- Change of purpose for sensitive data. The Privacy Shield Frameworks specify that if you decide to use sensitive personal data for a purpose other than what was authorized by the data subject (including, of course, sharing it with a third party) you must receive consent for the additional processing.