New guidance on obtaining data protection consent through web pages

17 July 2008

Rocío Serrano Conde

The Spanish Data Protection Authority has issued guidance as to how consent to process personal data can be obtained through webpages. In the past companies have interpreted the requirement to get “unambiguous consent” strictly. In practice, many companies contacted individuals offline to establish their consent. However, the Spanish Data Protection Authority has now clarified that this is not required, and that companies can rely on implied consent. This article sets out some of the information that must be included on a website for implied consent to be valid.

The concept of consent could be considered to be the cornerstone of Spanish Data Protection regulations, and therefore affects all spheres of life, including e-commerce. The Spanish Data Protection Act is based on the concept that individuals should be able to control how their data is processed. One way of doing this is for individuals to clearly consent to any processing of their personal data.

This focus on consent has proved to be difficult for E-Commerce and online service providers in particular. Under Spanish law consent has to be unambiguous. Spanish commentators interpret this as meaning there should be no ambiguity regarding the intention of the individual when they give their consent. Due to this, companies have traditionally sought a very formal form of consent. This is because formal consent allows the controller to prove that it has obtained a valid consent. However, despite this practice, the Spanish Data Protection Act does not specify how consent should be obtained (except for a special category of “sensitive data” - i.e. data relating to race, sexual orientation etc - where express consent is required). In light of this the Spanish Data Protection Agency has issued guidance stating that unambiguous consent can either be express or implied. In the field of websites, it accepts that implied consent could amount to unambiguous consent.

The guidance accepts that individuals do not have to be contacted offline. However, the guidance sets out certain criteria that have to be satisfied in order for implied consent to be considered valid. The web page must:

  • comply with the duty to provide information about the processing in the Spanish Data Protection Act;

  • give individuals 30 days to object to their data being processed, by providing them with a simple method of objecting to their data being processed (for instance, providing the individual with a free telephone number or helpline, or by ticking a box (this box cannot be pre-ticked)); and

  • inform the data subject that if the company operating the web page does not receive an objection to the processing, they will assume that the individual has consented to their personal data being processed.

The report also states that webpages must only allow individuals to enter their details onto an online form if they have accepted the warnings set out above. It will be for the data controller (the person responsible for processing the data on the website) to prove that personal data cannot be submitted before the legal warning has been accepted. If all these conditions have been complied with, the controller will be able to prove that it has obtained unambiguous consent.

This change is likely to be beneficial to companies. It will help companies to be clear as to whether they have complied with the law, and will give companies trading in the Spanish market online, the means of complying easily with Spanish law.