The GDPR undeniably changes the rules of play for consent in marketing, by significantly tightening some rules, while adhering to the main principles of the 1995 Directive and the 2004 Law (which introduced the opt-in). As a reminder, the latter already set out the rules for consent:
“For the purposes of this Article, consent shall be taken to mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he or she signifies agreement that personal data relating to him or her are processed for direct prospection.”
The GDPR, meanwhile, defines consent as follows:
“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The wording is very similar, meaning no fundamental changes were made in terms of this particular point. Moreover, the GDPR explicitly states that pre-GDPR consent implies the authorization to continue data processing activities. There is no need therefore to renew the entire consent process before 25 May 2018.
As was already the case, consent therefore assumes the data subject takes clear, affirmative action. The data subject may provide a written or oral statement or behave in such a way that it may be reasonably concluded that he or she accepts personal data processing.
The consent must be freely given. This also means that it can be withdrawn at any time. Moreover, the absence of coercion must also be checked. For example, if the conclusion of a contract is conditional to the acceptance of the use of data for marketing purposes, this consent is not freely given. This also prevents the use of pre-ticked boxes.
The consent must be informed. This means the data subject must effectively understand what will happen to his personal data. That is why the request for consent must be concise, easily accessible and easy to understand. Clear and plain language must be used. The request for consent must be adapted to the target audience. Technical jargon and complex formulations must be avoided.
The consent must be specific. Individual or granular consent must be requested. Every purpose requires a different consent. The request for consent may not be buried in the terms and conditions either. One example of such a purpose: direct commercial prospection.
As you can see, the framework set out by the GDPR in terms of consent is particularly strict. Companies must communicate more information to the data subject. The information listed below is the absolute minimum:
- The identity of the controller: information needed to identify the controller and any parties who may receive this data
- The purpose of the data processing: clear information, for every data processing activity, which explains how and for what the data will be used.
- The data processing activities: information for every data processing activity, unless the data processing concerns separate activities.
- The right to withdraw consent at any time and how to do this.
“Too much information can kill your information”. Inundating the data subject with too much information can have the opposite effect instead of achieving the objective of the regulation. When requesting consent, only relevant information should be communicated. The GDPR stipulates that when consent is obtained electronically, the information must be provided in a concise manner, and should not have a negative impact on the use of the service.