“You must agree to our modified Privacy Statement.”
In the past few days, our mailboxes and monitors were flooded with messages like this. Besides angering customers, this information has hardly any legal merit in trying to gain consent for the processing of data.
The new General Data Protection Regulation (GDPR) that took effect on May 25 is much stricter with regard to consent than the previous European data protection regulations were. It prevents businesses from cajoling their users into authorising access to all data with a “take it or leave it“ approach. This is particularly true for major corporations: Their substantial market power has allowed them to make their customers agree to almost any form of consent.
In brief, consent only constitutes a valid basis for processing if the person concerned has a real option of saying “Yes” or “No” to every type of processing – without suffering any disadvantages.
In particular, the provision of a service must not depend on the customer’s consenting to data processing (“prohibition of tying”). Even in the case of a clear lack of balance (e.g. monopolies or employers), GDPR generally does not presume voluntary consent. GDPR takes the point that any combination of processing operations placed within one choice of consent but not related objectively (e.g. the processing of data for the purpose wanted by the user and the transfer of data to third parties for other purposes) is not specific enough and not voluntary in all of its parts. In addition, withdrawing consent at a later point in time must be possible without suffering any disadvantages.
On a formal level, phrasings need to be easy to understand and relate to a particular processing operation in a clear, precise and specific manner. Consent must not be hidden within other texts (e.g. data protection information according to Par. 14 GDPR or “General terms and conditions”). Instead of “opting out” or pre-activated checkboxes, an explicit user activity (“opting in”) is required. In many cases, this will dramatically lower the probability of consent.
Processing data without a valid declaration of consent falls within the maximum penalties foreseen by GDPR, which is 4% of global turnover or 20 million euros.
In conclusion, consent is an option that can be used meaningfully for additional functions which are in the interest of the customer. Users may, for example, give consent to receiving personalised offers – occasionally they are happy to do that. Businesses can proactively promote or market these options.
Looking for alternatives to consent
GDPR has a clear objective: When it comes to processing operations, businesses should rather go along with one of the five other legal bases for data processing. Data may still be processed legally – even without user consent – if it is necessary to execute a contract, in order to comply with legal requirements, or for “legitimate purposes” (such as security interests).
With GDPR, the consent option which has frequently been used for data processing has become less relevant. However, in many situations the five other legal bases will often be a much firmer legal framework since they can usually be used regardless of the decisions of individual users. Contrary to consent, there is no risk of withdrawal, either.
These alternatives also have the advantage of not interrupting processes, since many users feel negative about checkboxes for consent. With a sensible approach in the number of requests for consent, services will be easier to use and the clicks it takes to complete a process will be minimised.