ICO publishes Consent Guidance
On 9th May the Information Commissioner’s Office published its guidance concerning Consent. You can view the guidance here.
The guide provides useful commentary on a number of thorny issues including the need for consent to be clear and to offer real control to individuals. It also sets out guidance on record keeping that requires organisations to document the consent they obtain.
We’ve picked out some of the highlights here:
Understanding ‘special category data’ and consent. This is a tricky area. The ICO says that ‘explicit consent must be expressly confirmed in words” rather than by any other positive action. This means someone must have proactively ticked a box or signed their name, to demonstrate their explicit consent. OK, so far. In the majority of cases consent shouldn’t be linked to the provision of services. However, in some cases (for example organisations providing services to individuals with medical conditions), they will need explicit consent to the able to process data and provide the services - therefore it is permissible to make it clear that access to their services is dependent on an individual giving explicit consent.
Consent alongside incentives and detriment. In simple terms consent isn’t valid if it cannot be withdrawn without detriment. This doesn’t necessarily mean that you can’t incentivise people to sign up to a service. The ICO’s view is that “it may still be possible to incentivise consent to some extent…. For example, if joining a retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent” .
Consent ‘just in case’ is a bad idea. In short, if, under the GDPR you have a lawful basis for processing data, gaining consent ‘just in case’ is ‘misleading and inherently unfair’. The ICO says you should ‘take all reasonable steps’ to tell individuals what the new lawful basis is and ‘minimise their loss of control over the data by giving them the chance to opt-out if possible’.
There might be more than one reason why you need to process data. You might rely on consent for one purpose, but know that, even after consent is withdrawn, you’ll need to retain the data for a particular purpose, under another lawful basis. If this is the case you need to be transparent and tell them this, at the start.
If consent is withdrawn, you need to stop. It’s as simple as that. You can still process the relevant data for a different purpose (as long as you have a lawful basis and as long as you’ve informed them, at the time of obtaining consent, that this is the case).
You can’t change your mind when it comes to consent. As a data controller you can’t change the lawful basis of the processing after the fact. When consent is used as a lawful basis for processing, this gives the individual a sense of control over the use of their data. If they’ve withdrawn consent you can’t change the basis to ‘legitimate interest’ even if you think it applies.
Third party consent. If you rely on consent obtained by a third party, you must be specifically named in the consent request. Processors don’t need to be named but there are requirements around disclosing details of processors.
ePrivacy is still a confusing area. We’ve written about this a great deal… but to summarise. The ePrivacy Regulation has not been finalised. In the meanwhile, PECR will continue to apply, alongside GDPR. PECR consent will be the same as GDPR consent.
Scientific research has been extended. There have been quite a lot of changes to this section to bring it in line with Article 29 Working Party guidance. The ICO reminds controllers that GDPR consent should not be confused with any other legal or ethical obligation to get consent from people participating in research.