'Consent' is a word that always comes up in privacy news and discussions about privacy, and it's easy to see why. Everyone knows what consent means, at least in an everyday sense. Everyone should like the idea of consent as it relates to individual autonomy and freedom. It's cool to think that your data belongs to you and should not be used against your will.
On the other hand, because everyone understands consent in an everyday sense, it's easy to fall into some common mistakes and overestimate their legal implications of consent. This blog will answer some common questions about consent in the GDPR and give you a clearer picture of what consent is and how it works.
- Can I do anything as long as I have consent?
- Do I always need consent under the GDPR?
- What does valid consent look like?
- What is explicit consent?
- Do I always need consent for cookies?
- Do you control your data?
- Final Thoughts
Let's dive in!
Can I do anything as long as I have consent?
No, you can't. There are things you simply cannot do, with or without consent. The GDPR includes a long list of obligations for the data controller. Breaching these rules is a violation even if the data subjects consent to everything you are doing.
For instance, the data minimization principle means that you can only process the data you need. For example, when you sign up for our awesome privacy newsletter, we can't ask you to provide your home address because we only need your email to deliver the news. Collecting your home address for this purpose would violate the GDPR even with your consent.
Likewise, personal data must always be processed in a secure way. Unsafe processing of personal data is a violation even if the user expressly consents to their data being processed unsafely. The GDPR simply doesn't care about consent in this case.
Bottom line: Compliance is more than collecting consent, and consent is not a fix for noncompliance.
Do I always need consent under the GDPR?
No, you don't. You can lawfully process data without consent, but you will need another legal basis.
Legal bases are a big topic (and we have a blog on that as well), but the tl;dr is that they are justifications for taking someone's data. The GDPR lists six such justification, and you need to pick one of them and stick to it whenever you use someone's data. Consent is one of those justifications, but it is not the only one. In some scenarios, relying on a justification other than consent is perfectly acceptable.
For instance, let's assume you are managing the website for an online shoe shop. When a customer buys from the shop, the seller needs billing information, a delivery address, the customer's shoe size, and some contact information to ensure the delivery goes well. The shop can annoy the customer by asking for consent for these data, or it can use the different legal basis of the performance of a contract and just let the customer fill the forms without annoying consent prompts.
What does valid consent look like?
The GDPR sets a high bar for consent. Consent is freely given, specific, informed, unambiguous, and possible to revoke. If it lacks any of these requirements, then it is not valid consent.
There is a lot to say about these requirements and we can't possibly fit it all here. But it is worth pointing out that "unambiguous" consent has to be strictly opt in. There is no such thing as implied or presumed consent under the GDPR.
If you want to know more about consent standards, feel free to check out our blog on the topic.
What is explicit consent?
The GDPR also mentions a "special" type of consent called explicit consent.
Explicit consent is an exception to specific rules regarding sensitive data, automated decision-making, and data transfers. So, whether consent is explicit or not only matters in those specific situations.
Explicit consent must satisfy all the requirements for "regular" consent" and also be explicit. This extra requirement is somewhat fuzzy because the "explicit" requirement looks awfully similar to the "unambiguous" requirement for "regular" consent. But as a rule of thumb, you can think of explicit consent as a "very unambiguous" consent.
Do I always need consent for cookies?
No: it depends on the type of cookies and their purpose.
This is actually not a GDPR matter: the consent requirement for cookies comes from the ePrivacy Directive of the EU. The Directive requires consent for all non-essential cookies- that is, cookies that are not strictly necessary to make communication possible or to provide a service. Cookies that are strictly need can be (and often are) placed without your consent.
Do you control your data?
As stated above, in some cases, the GDPR allows the processing of personal data without someone's consent. But doesn't that undermine the fundamental idea that you control your data?
This is a complex question and I don't have a definitive answer, but there are at least three points worth considering.
First: the GDPR protects privacy, but that is not its only purpose. The GDPR states that the right to data protection is not absolute and must be balanced against other rights (that's a leitmotif in EU law, really). This balance is what the GDPR ultimately strives to achieve, and strict reliance on consent would sometimes make the balance impossible.
In many cases, relying on consent is impossible, yet data needs to be processed. For example, a company negotiating a contract online with a customer needs to use their contact information, which requires a legal basis. Consent cannot work because they would need to contact the customer to collect consent in the first place. In this case, allowing the data to be processed without consent is in everyone's best interest.
Second: not requiring consent does not mean that privacy rights are not protected. The GDPR includes a bunch of stringent rules that have nothing to do with consent. Even if someone can take the data without your consent, they still need to handle it in a safe way, then need a good reason to share it, and so on. They can't simply do as they please!
Finally: all justifications for taking personal data come with their own specific limitations. These limitations are not formalities: they protect privacy rights by dictating what can and cannot be done with the data. As counter-intuitive as it may sound, sometimes your privacy is best protected when your data are taken without your consent and under a different legal basis instead.
Suppose that your employer wants your personal data and hands you a consent form. You are probably not really free to say no, because the employment relationship puts you a position where you can potentially be pressured to consent. This is why the GDPR (almost always) bans the use of consent in scenarios involving employment relationships and requires different legal bases instead. These different bases actually afford better protection to the employee!
Final Thoughts
The protection of personal data is important. The GDPR has provided guidelines and set the boundaries for what's possible and what is not. As a business, you must adhere to these laws to protect your customer's privacy. Navigating these privacy laws may prove to be difficult because there is a lot you need to grasp and take into account, as shown above.
Having a clear framework and processes reduces your company's risk of data breaches or other hazards. However, following the principle of data minimization, only collecting information that is strictly necessary to run your business is a great first step.
At Simple Analytics, we believe that you don't need to collect personal data or install cookies to get actionable insights into your website analytics. We believe in creating an independent web that is friendly to website visitors while providing the insights you need to run your business. If this resonates with you, feel free to give us a try.