'Consent' is a word that always comes up in privacy news and discussions about privacy, and it's easy to see why. Everyone knows what consent means, at least in an everyday sense. Everyone should like the idea of consent as it relates to individual autonomy and freedom. It's cool to think that your data belongs to you and should not be used against your will.
On the other hand, because everyone understands consent in an everyday sense, it's easy to fall into some common mistakes and overestimate their legal implications. This blog will answer two common questions about consent in the GDPR and give you a clearer picture of what consent is and how it works.
- Can I do anything as long as I have consent?
- Do I always need consent under the GDPR?
- What is explicit consent?
- Is your data always yours?
- Do I always need consent for cookies?
- Final Thoughts
Let's dive in!
Can I do anything as long as I have consent?
No, you can't. There are things you simply cannot do, with or without consent. The GDPR includes a long list of obligations for the data controller. Breaching these rules is a violation even if the data subjects consent to everything you are doing.
For example, the data minimization principle1 means that you can only process the data you need for your purpose and no more than that. For example, when you sign up for our awesome privacy newsletter, we can't ask you to provide your home address because we only need your email to deliver the news. Collecting your home address for this purpose would violate the GDPR even with your consent.
Likewise, personal data must always be processed in a secure way2. Unsafe processing is a violation even if the user expressly consents to their data being processed unsafely. The GDPR simply doesn't care about consent in this case.
Bottom line: Compliance is more than collecting consent, and consent is not a fix for noncompliance.
Do I always need consent under the GDPR?
No, you don't. You can lawfully process data without consent, but you will need another legal basis.
Under the principle of lawfulness, the processing of personal data always requires a legal basis. The GDPR lists six legal bases3 (often referred to as legal grounds) to choose from, each with its own requirements and limitations. You need to pick one of these grounds whenever you process personal data and stick to it. Consent is one of those grounds, but relying on a different legal basis is perfectly legitimate in some scenarios.
For example, let's assume you are managing the website for an online shoe shop. When a customer buys from the shop, the seller needs billing information, a delivery address, the customer's shoe size, and some contact information to ensure the delivery goes well. All this information is personal data, and the processing requires a legal basis.
You have three options in this case:
- you can collect the user's consent before the purchase is finalized;
- you can rely on the "performance of a contract" (in this case, the sale);
- you can rely on the "legitimate interest of the controller" (in this case, the shop's interest in conducting business).
If you choose legitimate interest or performance of a contract as your legal grounds, you don't need to ask for consent. In this case, all three options are perfectly compliant, and choosing between them is a matter of weighing the pros and cons of each.
To be clear: each legal ground comes with specific requirements. This means that no single legal basis applies to every possible scenario. For example, you cannot rely on the "performance of a contract" to send promotional material to your customers, which goes beyond what is strictly necessary to perform the contract. And if you choose "legitimate interest" as your legal basis, you must balance your interest against the data subject's rights.
Like other legal grounds, consent also comes with requirements under the GDPR: it must be freely given, informed, specific and unambiguous4, and it must be possible to withdraw consent at any time5. If these requirements cannot be met, a different legal ground is needed6.
So a legal ground must be found case by case. Sometimes multiple grounds are available. At other times only one is available, or none at all, which means the data cannot be processed.
What is explicit consent?
The GDPR also mentions a "special" type of consent called explicit consent.
Explicit consent is an exception to several rules regarding sensitive data, automated decision-making, and data transfers7. So whether consent is explicit or not only matters in specific situations, one of these is the processing of sensitive data. As we explained, this scenario might become quite frequent in the near future.
Explicit consent must satisfy all the requirements for "regular" consent" and also be explicit. This extra requirement is somewhat fuzzy8, but as a rule of thumb, you can think of explicit consent as a very unambiguous consent9.
Is your data always yours?
As stated above, in some cases, the GDPR allows the processing of personal data without someone's consent. How can we then honestly say that your data is yours and you decided what will be done with it?
Here's the deal. The GDPR protects privacy, but that is not its only purpose. The GDPR states that the right to data protection is not absolute and must be balanced against other rights10. This balance is what the GDPR ultimately strives to achieve.
In many cases, relying on consent is impossible, yet data needs to be processed. For example, a company negotiating a contract online with a customer needs to use their contact information, which constitutes processing personal data and requires a legal basis. Consent cannot work because they would need to contact the customer to collect consent - and they would need to process his data to do so. In this case, allowing the data to be processed without consent is in everyone's best interest.
Not using consent does not mean the data subject receives no protection. All legal grounds come with their own limitations, which give data subjects some protection. Sometimes consent provides less protection than other grounds.
For example, employers cannot process employee data based on consent11 because they are in a position to pressure the employee into consenting. So the GDPR forbids employers from using consent, but it also supplies them with other grounds for processing data. These grounds give the employee some degree of protection, which is better than no protection at all.
Do I always need consent for cookies?
As we mentioned, "non-essential" cookies always require consent under the ePrivacy Directive. The ePrivacy Directive is older than the GDPR, and there is some overlap between the two of them. And both apply to cookies since cookies are always personal data.
This overlap is important in practice. Because of the ePrivacy Directive, "non-essential" cookies always need consent. And because of the GDPR, this consent needs to be informed. This is why websites using cookie-based analytics, such as Google Analytics, require cookiebanners that provide certain information about the processing of cookies. Without that information, consent would not be informed and valid under the GDPR.
The protection of personal data is important. The GDPR has provided guidelines and set the boundaries for what's possible and what is not. As a business, you must adhere to these laws to protect your customer's privacy. Navigating these privacy laws may prove to be difficult because there is a lot you need to grasp and take into account, as shown above.
Having a clear framework and processes reduces your company's risk of data breaches or other hazards. However, following the principle of data minimization, only collecting information that is strictly necessary to run your business is a great first step.
At Simple Analytics, we believe that you don't need to collect personal data or install cookies to get actionable insights into your website analytics. We believe in creating an independent web that is friendly to website visitors while providing the insights you need to run your business. If this resonates with you, feel free to give us a try.
- #1 Art. 5(1)(c) GDPR.
- #2 Art. 5(1)(f) and 32 GDPR.
- #3 Art. 6(1) GDPR.
- #4 Art. 4(11) GDPR.
- #5 Art. 7.3 GDPR.
- #6 For example: consent cannot be freely given in the context of an employment relationship, with only very narrow exceptions. See EDPB Guidelines 05/2020 on consent under Regulation 2016/679.
- #7 Art. 9(2)(a), 22(2)(c), and 49(1)(a) GDPR
- #8 We do have some guidance from the EDPB Guidelines 05/2020 on consent, Chapter IV, but no real definition
- #9 It has also been argued that explicit consent should be collected separately. See Kuner, Christopher and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (New York, 2020; Oxford University Press), p. 185.
- #10 Recital 47
- #11 EDPB Guidelines 05/2020 on consent, par. 21 onwards