The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.
A few examples:
- The new guidance states: “name your organisation and any third parties who will be relying on consent – even precisely defined categories of third party organisation will not be acceptable under GDPR.” This is a departure from the current guidance on direct marketing which says that an indirect consent may be valid “if the consent very clearly described precise and defined categories of organisations and the organisation wanting to use the consent clearly falls within that description.”
- Controllers must give granular options to consent separately for separate purposes, unless this would be unduly disruptive or confusing. In addition, language likely to confuse “for example, the use of double negatives or inconsistent language” will invalidate consent.
- Controllers should consider whether to automatically refresh consent at appropriate intervals. The frequency of this will depend on the context, but the ICO recommendation is that, if in doubt, controllers should consider refreshing consent every two years. The guidance also suggests that, if not in regular contact with individuals, controllers could “consider sending occasional reminders of their right to withdraw consent and how to do so.”
- The guidance is also specific about what it means to make it “as easy to withdraw as to give consent,” as required by article 7(3) of the GDPR. The process of withdrawing consent should be an easily accessible one-step process, if possible using the same method as was used to collect the consent. So, companies collecting consent online should also provide online opt-out links.
The guidance also tackles the common misunderstanding that consent is generally the best approach for legitimising data processing. Many controllers struggle to understand this, but as the guidance says, “if you cannot offer a genuine choice, consent is not appropriate” and controllers should look for a different basis for the processing. It takes a conservative approach to the impact of article 7(4) on the conditioning of consent, and it would be helpful to have more guidance on when conditioning consent might be justified in the context of a free service.
The guidance is open for consultation until 31 March.