The WP29 Revises its Guidelines on Consent Under GDPR Ahead of the Upcoming Enforcement Date of 25 May 2018

Consent – one of the six legal bases available to process personal data in Europe – is strongly impacted by GDPR. The requirements to obtain valid “GDPR consent” are now much stricter than under the Data Protection Directive. Additionally, data subjects have the right to withdraw their consent at any time, making it a relatively fragile legal basis for controllers.

The WP29 issued guidelines on the topic in November 2017, which we covered in this blog post. The revised version was published on 10 April 2018, and the main changes are highlighted below.

1. Conditions for Valid Consent: Freely Given – Conditionality

One of the four criteria for valid consent is for consent to be freely given. The WP29 determines that consent cannot be considered as freely given if a controller tries to rely on consent for a service that involves using the personal data for additional purposes by arguing that an equivalent service is offered by a different controller. The WP29 refutes this approach, explaining that, in such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. This failed argument would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage.

2. Refuse or Withdraw Consent Without Detriment

A controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42). The WP29 added three examples to illustrate this requirement:

Example A: When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).

Example B: A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.

Example C: A fashion magazine offers readers access to buy new makeup products before the official launch. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or apparel year-round. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself, and is not to be shared with any other organisation. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.

3. Unambiguous Indication of Wishes

An unambiguous statement or indication of wishes is another criterion necessary for valid consent. The WP29 specifies that controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.

The WP29 updated the following example:
Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that “continuing to scroll will constitute consent” may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.

Although this addition is not made in the context of ePrivacy and cookies specifically (under which consent is required to store cookies on a website visitor’s device), if applied in that context, it would mean that, in the view of WP29, the implied consent method so far used by almost every website owner to store cookies on a visitor’s device (consisting of informing the user on the cookie banner that continuing to browse or scroll down amount to consent) will no longer be acceptable when the GDPR comes into force next May.

This would have tremendous practical implications for website owners if proven to be interpreted that way by DPAs and Courts. This issue should be addressed and resolved in the ePrivacy Regulation, which could require users to express their general cookie preferences (such as reject third-party cookies, accept all cookies) at the browser level or on the website itself. With the ePrivacy Regulation still going through the legislative process and unlikely to pass for another year potentially, this would leave a relatively long period of time during which website owners would need opt-in consent from their users before they can store cookies on their device.

4. Explicit Consent

Explicit consent (as opposed to “regular consent”) is required in three cases:
– Processing of special categories of personal data
– Automated individual decision making having legal or similarly significant effects
– Transfer of personal data to third countries (if no adequacy decision or appropriate transfer mechanism available)

The WP29 explains that express consent need not necessarily to be in writing.

An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

Example A: A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance: “I, hereby, consent to the processing of my data,” and not for instance, “It is clear to me that my data will be processed.” It goes without saying that the conditions for informed consent as well as the other conditions for obtaining valid consent should be met.

5. Interaction Between Consent and Other Lawful Grounds in Article 6 GDPR

If a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. The controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Because of the requirement to disclose the lawful basis which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is.

6. Children’s Consent and Parental Responsibility

The change from the original version is significant here. Originally, the guidelines stated that consent would expire when the child reaches the age of digital consent (16 if the national law does not indicate a younger age.) In the updated version, however, consent can now be confirmed, modified, and withdrawn by the child when the age of digital consent is reached. This means that if the child does not take any action, consent given by a holder of parental responsibility or authorised by a holder of parental responsibility for the processing of personal data given prior to the age of digital consent, will remain a valid ground for processing.

In practice, this means that if the child does not take any action, consent given by a holder of parental responsibility or authorised by a holder of parental responsibility for the processing of personal data given prior to the age of digital consent, will remain a valid ground for processing.

7. Pre-GDPR Consent

If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR-compliant way. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable – as a one-off situation – to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped.

How OneTrust Helps

OneTrust has two solutions to help with the challenge of gathering and managing consent. First, OneTrust provides website owners with a mechanism for obtaining cookie consent from website visitors. Website victors can express their consent via the banner and the customisable visitor preferences center. Second, OneTrust offers Universal Consent & Preference Management which integrates with existing marketing and IT technologies to manage the entire consent lifecycle. Using the OneTrust SDK, REST API, or via bulk data feed import, consent is recorded and centrally stored within OneTrust.