How to obtain valid consent under the GDPR?
by Benoît De NAYER
The General Data Protection Regulation (GDPR) extends the scope of the principle of conditional consent to the processing of personal data. What it does not do is alter the existing provisions under the 1995 Directive or the 2004 Law for confidence in the digital economy (LCEN for short). Any pre-GDPR opt-ins remain valid and prospection via text messaging or e-mail can continue under the same conditions. However, companies must apply certain existing conditions, which were somewhat neglected to date, more strictly: i.e., proof that consent was obtained, specifying the purpose for which consent is requested, the categories of providers or third countries to whom the data is transferred.
To help you become GDPR-compliant, ACTITO has a “Forms and Pages” module, which automatically keeps track of the context and displays legal mentions when consent is obtained. The Preference Center template is ready to use and takes into account all the principles of information and granularity for obtaining consent, as required under the GDPR. By using these modules, you can be sure that you have demonstrated your goodwill as far as the implementation of the GDPR principles is concerned. And you may be required to prove this in the next two years.
A. The rules of consent
The GDPR undeniably changes the rules of play for consent in marketing, by significantly tightening some rules, while adhering to the main principles of the 1995 Directive and the 2004 Law (which introduced the opt-in). As a reminder, the latter already set out the rules for consent:
“For the purposes of this Article, consent shall be taken to mean any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he or she signifies agreement that personal data relating to him or her are processed for direct prospection.”
The GDPR, meanwhile, defines consent as follows:
“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The wording is very similar, meaning no fundamental changes were made in terms of this particular point. Moreover, the GDPR explicitly states that pre-GDPR consent implies the authorization to continue data processing activities. There is no need therefore to renew the entire consent process before 25 May 2018.
As was already the case, consent therefore assumes the data subject takes clear, affirmative action. The data subject may provide a written or oral statement or behave in such a way that it may be reasonably concluded that he or she accepts personal data processing.
The consent must be freely given. This also means that it can be withdrawn at any time. Moreover, the absence of coercion must also be checked. For example, if the conclusion of a contract is conditional to the acceptance of the use of data for marketing purposes, this consent is not freely given. This also prevents the use of pre-ticked boxes.
The consent must be informed. This means the data subject must effectively understand what will happen to his personal data. That is why the request for consent must be concise, easily accessible and easy to understand. Clear and plain language must be used. The request for consent must be adapted to the target audience. Technical jargon and complex formulations must be avoided.
The consent must be specific. Individual or granular consent must be requested. Every purpose requires a different consent. The request for consent may not be buried in the terms and conditions either. One example of such a purpose: direct commercial prospection.
As you can see, the framework set out by the GDPR in terms of consent is particularly strict. Companies must communicate more information to the data subject. The information listed below is the absolute minimum:
- The identity of the controller: information needed to identify the controller and any parties who may receive this data
- The purpose of the data processing: clear information, for every data processing activity, which explains how and for what the data will be used.
- The data processing activities: information for every data processing activity, unless the data processing concerns separate activities.
- The right to withdraw consent at any time and how to do this.
“Too much information can kill your information”. Inundating the data subject with too much information can have the opposite effect instead of achieving the objective of the regulation. When requesting consent, only relevant information should be communicated. The GDPR stipulates that when consent is obtained electronically, the information must be provided in a concise manner, and should not have a negative impact on the use of the service.
B. Proof of consent
The controller must provide proof of the consent. The text of the GDPR does not stipulate, however, how to provide such proof. Typically, the date stamp when consent was obtained should be sufficient: date, time, URL used for this, the originating IP. Proving that all the legal mentions were clearly displayed when consent was obtained is more difficult however.
One solution would be to record the context in which consent was requested and obtained, i.e., the exact instant when consent was obtained, the source and the information that was communicated to the data subject at the time of consent.
C. The double opt-in
Some have assumed that the double opt-in is the only way to ensure valid consent as intended by the GDPR. But they are wrong: the text does not mention this requirement. The same question was raised in 2004 and the French National Commission on Informatics and Liberty (CNIL) never imposed this method for obtaining consent for e-mail prospection.
D. The consent of minors
The GDPR indicates that the consent of minors, under 16 years of age (15 years in France), can only be obtained with the consent of their parents for all services of the information society.
The controller must therefore check the age of data subjects using every possible technical means.
E. What about pre-GDPR consent?
If the aforementioned conditions were respected when consent was requested, no new consent must be requested (preamble 171 of the GDPR states that data processing is GDPR-compliant when it is based on consent in accordance with Directive 95/46/EC).
Proof of the conditions under which the consent was obtained is often difficult to provide. In that case, it may be worth contacting the data subjects in question, with a view to asking them to reiterate their consent. We explain below how ACTITO can help you do this.
F. Withdrawal of consent
The data subject must be able to withdraw his or her consent to the processing of his or her personal data at all times. The GDPR indicates that the same channel that was used for giving consent must be used. If the consent was given through a website for example, the data subject must also be able to withdraw this consent on this website, using an online preference center.
G. How can ACTITO help you obtain valid consent and proof of this consent?
Below we explain in practice how we apply the above principles. ACTITO has a set of tools that allow you to be GDPR-compliant.
Our “Forms and Pages” module allows you to easily build a form that complies with the legal requirements, and which provides proof of consent.
The Preference Center form template has all the elements you need to capture valid consent by setting up a layered consent information system.
The form’s data and the time of consent are then added to the ACTITO contacts database.
The proof of consent can then be provided by referring to the form. You can thus easily find the conditions under which the data subject consented to the processing of his or her personal data.