Silence Does Not Mean Consent – Danish DPA Issues Detailed Guidance on ‘Consent’ Under GDPRSeptember 9, 2019 – Alerts
The Danish data protection authority has published an updated, detailed guide on the ins and outs of consent under GDPR. Below is a short summary of the key takeaways.
When to request consent: Consent must be obtained before personal data processing begins.
How To Request Consent
- If the consent is given in a written declaration which also addresses other conditions (e.g. trading conditions for the purchase of a service), the request for consent shall be submitted in a way that can be clearly distinguished from the other facts in an understandable and accessible form and in a clear and simple language.
- Consent can be delivered orally, in writing or digitally. What matters is that the data subject’s statement or action clearly identify the data subject's intention and consent cannot be implied.
- Consent is best sought in writing as the data controller must be able to prove that it provided sufficient disclosure and received appropriate consent. Without this, consent cannot be used as a legal basis.
- Consent must be specified in such a way that it clearly states for what the consent is given.
- The request for consent must be made in an understandable and accessible form and in clear and simple language that is appropriate for the target audience which is receiving it. Normally it will be sufficient to make one request, though target both children and adults if it is formulated in such a way, so that it is easily understandable for children.
What To Say When Requesting Consent
The data controller must disclose the information that is necessary for consent.
This includes, at minimum:
- The identity of the controller
- The purpose of the intended treatment
- Which information is processed
- Whether or not there is automatic processing
- Whether there is a transfer to a third country and the relevant risks
- The right to withdraw consent
General statements like "provide you with a better service" are not valid.
Consent Must Be Voluntary
- Consent must be voluntary. If the data subject does not have a real or free choice - consent is not voluntary.
- Consent must not be given under duress or under undue pressure or influence on the data subject’s free will.
- Consent is generally considered not to be given freely if there is a clear imbalance between the data subject and the data controller.
- Example: A private organization can use consent as a legal basis for taking pictures of the members and publishing them on its website if the consent is voluntary and there are no negative consequences for refusal. Legitimate interest may be another applicable basis.
- If a product or service is conditioned on consent which is not necessary for the purchase of the good or services, the consent is not freely given.
- Rewards programs: A data controller may to some extent motivate the data subject to consent through a benefit associated with that consent. For example: Enrollment in a store benefit program which involves discounts that motivate customers to consent to receive promotional material from the store. Such consent is voluntary. However, consent will not be deemed voluntary if a lack of consent results in negative consequences for the data, e.g. in the form of additional costs/revocation of the generally applicable discounts.
Consent Must Be Granular
- Consent must be specific and granular.
- Where a data processing serves several purposes, the data controller must obtain consent separately for each purpose to be treated on the basis of the consent.
- The data controller must therefore offer the data subject the ability to consent for a purpose, but not to consent for other purposes. In practical terms this can be done, for example, in the form of a unified statement in which the data subject can select for which purpose he will accept that processed information. (e.g. separate consent for receiving marketing material by email and separate consent for sharing information with third parties for marketing purposes).
- A public authority will often not be able to process personal data on the basis of consent. Public authorities should, for this reason, carefully consider the use of consent as a legal basis for processing.
- Even if a law, pursuant to which the public authority is operating requires the “consent” of the citizen, this “consent” might be different than GDPR consent as a legal basis. In many of these cases the appropriate legal basis is “necessary in the public interest” (Article 6(1)(e)).
- In certain situations where the data subject’s refusal to give consent is irrelevant to the authority’s processing of a service or permission to the data, the treatment may take place on the basis of consent. For example, consent may be a legal basis to receive email or SMS notifications from a public authority.
- The processing of personal data in the employment context can take place based on the data subject's consent as long as the consent meets the requirements of GDPR.
- In view of the inequality of the employer-employee relationship, however, the employer must ensure that the employee’s consent actually reflects the employee’s choice, or whether the consent has been given under fear of significant negative implications. The employer should always consider whether consent is necessary or the employer may use a more appropriate legal basis.
- Example: A large organization wants to improve employee communication by including employee photos in the employee directory. If there are no negative consequences for refusal, consent of the employee can be a valid legal basis for this.
How to Give Consent
The consent must be communicated in the form of an unambiguous indication. This can be:
- signature on a document
- ticking a box when visiting a website
- selection of technical options for information society services, for example on social media
Other active actions when the necessary information is made available, and it is clear that the action means consent:
- a swipe
- a wave front of a smart camera,
- moving the smartphone clockwise or in a figure eight
- accepting a pre-formulated statement of consent — if confirmation is given by an active operation — for example by clicking on a field that clearly informs the data subject that the action leads to consent to treatment
How Not to Give Consent
- General acceptance of the general terms and conditions cannot be taken as a clear confirmation, that the data subject consents to the processing of personal data.
- Silence, pre-ticked boxes on websites or inactivity are not sufficient to constitute an unambiguous indication and cannot constitute consent.
- In some cases explicit consent is required: e.g. processing of sensitive data (e.g. information about racial or ethnic origin, political opinions, religious beliefs, trade union membership or health information) for automated processing, profiling and by transfer to a country which has not been deemed to provide adequate protection to data.
- The regulation does not explain in detail what is meant by explicit consent, and the formulation does not result in a further increased requirements for consent, but stresses that it is important that there must be no doubt that consent has been given.
How to Revoke Consent
- The data subject may at any time withdraw his consent.
- It should be as simple and accessible to withdraw consent as to give it, but the manner does not have to be identical
- If consent is obtained by a single mouse click, keystroke or swipe, withdrawing consent should be a similarly simple way.
- If consent is given through a website, application or via e-mail, withdrawal should be possible using the same solution. Requiring that withdrawal be done only by phone call during business hours is not valid.
- It is also recommended to offer the registered more opportunities to withdraw their consent, not all registered are comfortable using the internet.
- The data subject must also be able to withdraw consent without negative consequences. Data controllers cannot charge fees for withdrawal of consent.
What Happens After Consent is Revoked
- Revoking consent does not affect the lawfulness of the processing based on consent before the withdrawal. Withdrawal of consent applies only to the future treatment of the data subject’s personal data. Basically, the data controller needs to stop processing the personal data as quickly as possible if the data subject withdraws consent.
- However, storage of personal data is processing and if consent is the legal basis for the storage — the data needs to be deleted. The data can be retained, however, if there is an independent alternative legal basis for the storage - e.g. retaining as required by accounting/tax rules.
- Data controllers should retain documentation about the process for obtaining consent, the request for consent, the consent form — in order to be able to defend themselves in case of a legal claim about the validity of consent.
Consent from Children
- Children require special protection for the processing of their data because they are less aware of the risks and consequences.
- Such special protection should apply, in particular, to the use of children’s personal information for marketing purposes or to create personality or user profiles and collection of personal data on children when they use services offered directly to children
- When a controller wants to process personal data about a child on the basis of consent, the data controller must consider whether the child can give consent. The data controller must concretely assess whether the child has sufficient maturity and understanding to own consent. Normally, a child of 15 years is sufficiently mature to give consent on his or her own behalf.
- If the controller determines that the child does not have the sufficient maturity, consent should be obtained from the holder of parental authority.
- The information to be provided prior to granting consent should be adjusted according to their understanding. The information must be written in clear and easily understandable language so that the child can understand.
- Processing data of children as part of the offering information society services directed at children (e.g. E-commerce, online games and social media) is generally lawful, if the data subject is at least 16 years old and has consented. In Denmark, for children under 13, consent should be given by the holder of parental authority.
- Providers of information society services directly to children should ensure their protection by building mechanisms so that children under the age limit are prevented from giving consent in relation to activities such as creating a profile.
- Consider that consent is the most appropriate legal basis to treat personal data in the given situation.
- Consent request is distinct and separate from sales and delivery condition terms.
- Always seek consent through an active choice.
- Never obtain consent through pre-checked fields or other methods based on inaction.
- Consent is written in clear and simple language that is easily understood by a person in the target group.
- The consent specifies the purpose of the intended processing of personal data.
- If you want consent for various purposes, ask for separate consent for each purpose.
- The name of the controller appears in the text of the consent request.
- Advise the individual of the possibility to withdraw his or her consent.
- There are no negative consequences associated with failing to give consent or with withdrawing consent.
- Consent is not a condition for the supply of a product/service.
- If you provide information society services directly to children under 13, use consent to the extent that it is possible to check the child’s age, and obtain parental consent if the child is under 13.
- Document who has consented, when and how consent was given, what the individual has consented to, and that the consent is actually given freely.
- Regularly check that consent is still valid and correct and that the purpose of the treatment or the treatment itself has not changed.
Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues, including obtaining consent, contact Odia at [email protected] or 215.444.7313.