The question of how to validly obtain consent under the GDPR generates a lot of discussions, yet it is often a simple problem to deal with. There are however important considerations that need to be assessed! First: do you really need consent ? This is an essential first step as consent is one of the six legal basis and it’s not necessarily the one required in all cases (sometimes it needs to be avoided as it can be a GDPR violation to use consent when other legal basis are required). This verification is an essential starting point (I). Once we are sure consent is required from a legal perspective then only we can create a process that will capture the consent in regard to the conditions set by the GDPR (II).
Why a valid consent is essential
National control authorities do not hesitate to erase all personal data collected without valid consent. In multiple cases in 2018, the french CNIL requested the erasure of +14 million - and in another case - over 60 million of prospect’s data that companies did not capture with valid consent. The economical damage can be very substantial. On another side, capturing legally valid consent is not a complex task.
The First mistake to avoid: organizations don’t need consent all the time. This is the first thing to clearly understand: consent is needed in a few cases only.
The legal obligation GDPR imposes is to have a legal basis. There is six legal basis that allows organizations to collect and process personal data. Consent is only one of them! So, let’s take a look at some real-life examples.
|Consent is needed||Consent is not needed|
|Subscription to a newsletter||When the law requires the collection of personal data, for example invoicing - as this is a legal obligation|
|Download and receive a guide (ex: whitepaper...)||In case of a sale, or a contract (e.g. online sales)|
|More generally activities in which a person will see his personal data processed and in which the person can request anytime to stop the activity.||For employment - recruitment, cv|
In reality, to be able to legally collect data relating to persons, the GDPR imposes one condition: the data controller has to have a legal basis. This means we have to have at least one of the following conditions as described in article 6:
In practice, the need to request consent can be determined by eliminating other legal bases and as follows:
does the law require you to collect personal data (e.g. in HR matters, like obligations existing related to retirement, in commercial matters for invoicing)? If so, then the legal basis is the legal obligation, and there is no need to ask for consent ;
Consent is frequently used in marketing - for example, to subscribe to a newsletter, where a person can start and stop the processing of his data at will (eg. the unsubscribe link).
If you are in a situation where you need consent, congratulations because it’s quite an easy task to get one! Let’s clarify one element first a checkbox is not needed for consent. It can be useful if an organization wants to ensure that the person stopped and thought about what he or she agreed on, and expressed clearly agreement. But it’s not necessary. In reality, we need two essential elements. Let’s look at the legal definition, given by article 4.
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
So to acquire consent, two elements must be there: a positive act by the person, and the person must be informed of what will be done with their data.
For consent to be validly collected, a positive act by the person is first required. In clear terms, it means the person herself needs to do an action to manifest he/she agrees to the processing of his/hers personal data.
Here are examples of valid actions
Here are examples of invalid actions
In fact, this is a very old legal problem: can silence equals acceptance? In clear terms the question is, can a person be legally obliged to do something in the case she stayed silent? The GDPR answer is absolutely not (it would open to significant abuses otherwise)!
For consent to be valid, the person must therefore perform a positive act themselves - such as entering their personal data themselves in a collection form or clicking a button.
One action is enough
However, the GDPR does not necessarily require a set of multiple actions, like for example checking a checkbox AND then clicking on a button. A checkbox can be the manifestation of a positive act, but it’s not mandatory and there are plenty of ways to get the user to make an action other than filling a checkbox. For example, a person who adds his email address himself in a form will perform a positive act, sufficient to meet the requirement of the GDPR.
What is important is that the action comes from the person himself. For instance, it would be unlawful to collect emails on forums and send commercial advertisements (no clear affirmative action from the person to agree to such processing).
To get a valid consent, the GDPR has added other legal conditions that we can summarize as follows: the person whose data is processed must be clearly informed of what will be done with their data.
This is essential, otherwise, how could he/she consent to anything? From a legal point of view, the GDPR imposes several additional conditions, to ensure consent given is well informed:
The G29 has written very detailed consent guidelines on these matters.
One risk for organizations who collect personal data is to fail to collect a valid consent. Avoiding this scenario is, however, relatively simple, provided that specific consent acquisition processes are put in place.
If you are uncertain about how to build these processes head up to Legiscope as these step-by-step processes are already built and the platform will help you automate a lot of other compliance tasks and save considerable amounts of time.