What to Know About Data Consent Under GDPR
The European Union’s General Data Protection Regulation (GDPR) provides unprecedented levels of control to consumers and how they manage their data. Not only do consumers in the European Union now have the right to provide and revoke consent regarding the collection, use, and storage of their data, but they also have the right to be forgotten.
Greater consumer control coupled with restrictions on how companies can use the information collected all converge to create a data collection minefield that American tech companies must navigate to avoid fines and remain competitive. What makes it difficult is that the EU guidance to date has been painting broad strokes, whereas companies have detailed real-world issues to deal with daily. Companies will have to make judgment calls about how to implement what GDPR says. Still, there are some basics regarding data consent that all companies should keep in mind. Here’s what you need to know. This post covers consent, but a business may have other lawful bases for processing personal data besides consent.
The Different Characteristics of Consent Related to the GDPR Guidelines
One of the most complicated aspects of navigating consumer consent under the GDPR is that there are many different characteristics of consent to consider. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes.” Consent must be expressed “by a statement or by a clear affirmative action.”
Characteristics of Consent
To expand on the characteristics consent should have, consent should be freely given. Requiring consent on a take-it-or-leave-it basis creates a risk that consent may not be free. Companies interested in requiring consent on that basis will need to make careful judgments about what they can do in light of the law.
Consent must be on a specific basis. The request for consent can’t be so vague as to not clearly describe what is being asked. Moreover, consent must be informed. The company must provide enough information in a disclosure so the individual can understand what he or she is consenting to.
The action to be taken to consent must be unambiguous. The individual should understand what actions will demonstrate consent and must, in fact, undertake those actions. It must be clear from the actions taken that a consent is what the individual intends. For instance, the company can word requests for consent to clarify what actions will constitute consent.
Finally, the consent must be stated or the individual must taken an affirmative action. For example, when a customer ticks a box that says, “I agree to receive emails regarding special offers from third-party partners,” this is an affirmative action. Having pre-checked boxes saying yes, and requiring an individual to uncheck the box to say no is not sufficient.
Implied consent can satisfy the requirements for consent, as long as it is unambiguous. Implied consent occurs when an individual provides permission-based on actions instead of words. For instance, a website may include a notice on a sign-up form that says, “The information submitted on this form may be shared with our third-party partners to match you with offers that are right for you.” If a consumer proceeds and completes the sign-up form, the consumer has provided implied consent to have the personal data submitted shared with those third-party partners.
Another example is when an individual hands a card to a vendor at a trade show. The implication is that the individual consents to further communication.
Additional Characteristics
The GDPR specifically states that consent should be unambiguous. Here are some additional characteristics to keep in mind when it comes to consent and what counts as unambiguous under GDPR requirements:
Transparency Is Necessary To Prove Consent: For notices to meet transparency requirements, they must be written in a way that is clear and easy to understand. Additionally, all intended uses for the data must be outlined.
Consent Should Be As Easily Given as Retracted: Companies should ensure that the process for opting out of certain data uses or rejecting or withdrawing consent altogether should be as easy as it was to initially provide consent or opt-in.
There Should Be No Unfair Terms Included in the Consent Document: Unfair terms refer to any inclusions that put the user at a disadvantage if they do not provide consent or abide by a company’s preferences.
Consent Must Be Freely Given: Consent is only considered “freely given” if the consumer is able to decline without detriment. There should not be a penalty for revoking consent. This is closely related to the requirement to ensure terms are fair.
Consent Must Be Informed: Consent is only considered “informed” if the consumer knew about data collection, how it will be used and who the collector is. This is closely related to the requirement to ensure transparency.
Consumer Must Meet Age of Consent Requirements: The default age of consent for data protection purposes is 16, but some GDPR member states have lowered the age through national laws.
Keep in mind that where personal data being collected falls within special categories of sensitive personal data, consent must be explicit. In that case, there must be clear statements from the controller (collecting party) what personal data are being collected and how they will be used, and there must be a clear affirmative statement from the individual that the individual consents to the collection and use. Implied consent is not enough.
Special Consent Considerations for US-Based Companies
Many tech companies in America may wonder about GDPR requirements for U.S. companies when it comes to consent. CNBC reminds American companies that U.S. companies covered by GDPR are not exempted just because they are located in the U.S. American falling within GDPR and relying on consent should at least have a basic form and record-keeping mechanism for capturing consent for data use purposes, while following all the GDPR guidelines.
So far, one U.S.-based company has learned this the hard way. Forbes notes that earlier this year, France fined Google a whopping €50 million (US $56,632,500) for lack of valid consent, lack of transparency and inadequate information disclosure related to their personalized ad services.
How To Use Personal Data Collected Under GDPR Restrictions
So, how can U.S. companies collect and use data while remaining GDPR compliant and avoiding large fines? The first obvious step is identifying circumstances in which they must rely on consent. Second, if consent is necessary, they must legitimately obtain consumer consent in a way that is easy to understand and that makes all intended uses crystal clear.
Thereafter, data should be processed, used and stored in direct accordance with how individuals were advised it would be. If the business is collecting personal data within defined special categories under GDPR, consent must be explicit and the more care companies should take to secure consent in the most explicit terms.
Consent Issues Faced by AI and Robotics Companies
AI and robotics companies face particular consent issues. For instance, in the U.S., two companies are being accused of obtaining datasets of photos without user consents for purposes of training AI algorithms used for facial recognition. A class action complaint against Clarifai, Inc. claims that some of the company’s investors, founders of the OkCupid dating site, diverted a copy of the company’s database of face photographs to Clarifai to help train its algorithms.
Another class action complaint against IBM contends that IBM obtained Flickr photographs of faces in a deal with Yahoo. Both cases show the risks involved in obtaining data sets used for training purposes. Companies looking to train their algorithms should consider whether to obtain consent or requiring the source of their datasets to obtain that consent. Users would receive a notice of the new use and would have an opportunity to opt-out. GDPR would require a new opt-in for individuals in European Economic Area countries.
Likewise, robots collecting video and audio raise privacy and consent issues. For instance, a security robot roaming a shopping mall may be collecting video and audio, and the operator is not able to put an agreement in front of all shoppers entering the mall to obtain consent. Consequently, they may want to provide notice signs near the entrance of buildings to provide notice of the recording, similar to warning signs for stationary video cameras, to set up an argument that, following such notice, shoppers proceeding in the mail are impliedly consenting to the recording.