On 9th May, the Information Commissioner's Office (ICO) published its Consent Guidance.
The guidance has developed significantly since the initial draft, on which ICO consulted in 2017. It provides useful commentary on some tricky issues. ICO has also managed to practise what GDPR preaches: the guide is written in clear, accessible language and is well laid out. It also contains useful checklists. In particular, there are helpful lists of "do's & don'ts" for recording consent which all practitioners should read. The guidance is available here.
The guide emphasises the need for consent to be:
- clear; and
- to offer real control to individuals.
It also sets out guidance on record keeping.
As would be expected, the Consent Guidance is consistent with the Opinion on Consent issued by the Article 29 Working Party. It also tackles some tricky issues not addressed by WP29. Particularly useful statements are set out below.
Don’t ask for consent ‘just in case’:
ICO is very clear this is a bad idea: ‘If you would still process the personal data without asking for consent, asking for consent is misleading and inherently unfair’.
Many organisations used to rely on consent (on precisely this ‘just in case’ logic) under the Data Protection Act 1998. If organisations are in this position and have now decided to rely on a different, more appropriate, lawful basis under GDPR, ICO advises that they should ‘take all reasonable steps’ to tell individuals what the new lawful basis is and ‘minimise their loss of control over the data by giving them the chance to opt-out if possible’.
‘Special category’ data and consent:
There is useful guidance on consent which is obtained to process ‘special category’ data and criminal offence data.
Here, GDPR and the draft UK Bill (for criminal offence data), require ‘explicit consent’. ICO explains the difference between the normal standard of consent and explicit consent:
‘Explicit consent must be expressly confirmed in words, rather than by any other positive action’.
Organisations providing services to individuals with medical conditions, or who require mobility or other assistance, will need to process special category data. These organisations are likely to need explicit consent to process this data. ICO follows WP29 in noting that such organisations can make clear that access to their services is dependent on the individual giving consent. ICO includes an example of a pregnancy yoga class:
‘... although the individual cannot sign up to the class without revealing information about their pregnancy, explicit consent is still likely to be the appropriate condition for processing health data. The processing is objectively necessary to provide the requested class, and the individual has a free choice whether or not to sign up to that class’.
However if personal data is not actually necessary for the service, then consent will not be valid. Requiring someone to give consent to processing of personal data for marketing purposes would fall into this category - and ICO includes an example on point for this.
Incentives, detriment and consent:
The recitals to GDPR state that consent is not valid if it cannot be withdrawn without detriment. This creates a problem for organisations offering services - such as loyalty cards or ad-supported services: the organisation offers the service or offers as the incentive to agree to processing; does it have to offer a ‘free version’ and allow consumers to get the service even without personalised ads or processing? . ICO’s ‘view is that it may still be possible to incentivise consent to some extent. ... For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don't sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent’.
Multiple purposes, may mean multiple lawful bases of processing:
If this is the case, an organisation may rely on consent for one purpose, but not for another. This has the potential to mislead individuals - as they may think they have more rights to control the processing of their personal data than is in fact the case. Here, ICO notes that:
‘If you know you will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, you need to tell them this from the start’.
GDPR consent is special: its not the same as other types of consent
Organisations providing medical care, or engaging in medical research, will ordinarily require patient consent - for ethical reasons, or to meet requirements in other areas of law (such as regulation of clinical trials or patient confidentiality). The new requirements for consent under GDPR - in particular the requirement that consent can be withdrawn without detriment - make consent a tricky lawful basis to rely on when processing such data.
Anyone who has tried to explain to health care professionals, or other professionals involved in medical research, that they do not need - and should not ask for - consent for data protection purposes will probably have experienced reactions of disbelief and incredulity. There are helpful quotes in the guidance for you - include them in any training materials you use!
‘..if you are under a separate legal or ethical requirement to get ‘consent’ to do something, this does not mean that you automatically have or need to have valid GDPR consent.... in some cases, the standard of consent can be very different...’. . Implied consent to share confidential patient data is not the same as consent to process data for GDPR purposes ‘and in the healthcare context, consent is often not the appropriate lawful basis under the GDPR. ... even if you are required to get a patient’s consent to the medical treatment itself, this is entirely separate from your data protection obligations. It does not mean that you have to rely on consent for your processing of the patient’s personal data.’
This comment is repeated in context of scientific research and clinical trials, where ICO notes that the conditions for processing for scientific research are likely to be more appropriate, where the erasure of data following any withdrawal of consent would undermine the research.
The principle that obtaining consent to meet other legal or ethical requirements does not ‘pre-select’ the lawful basis for processing of personal data under GDPR as consent, is also useful to organisations offering online ad-services. There is a tantalisingly brief quote from ICO on point here:
‘If you need consent to place cookies, this needs to meet the GDPR standard. However, you may still be able to consider an alternative lawful basis such as legitimate interests for any associated processing of personal data.
It is not clear if ICO simply means that a publisher can rely on consent to place cookies, but legitimate interests for its processing of associated segment data, or if the comment could be applied to organisations who share data online. This is an important point. For consent to be valid, all controllers relying on the consent must be named. In the online ‘eco-system’ data obtained from one publisher can be shared with many organisations, particularly where programmatic advertising is used. If the statement could be applied to sharing of clickstream data, then it keeps open the possibility that the lawful basis for subsequent sharing of data can be legitimate interests, avoiding the need to spell out the names of all organisations in the cookie-overlay or user interface for consent for in-app tracking.
Organisations who have websites, or apps, which may be used by children and who allow ads on their sites should also take note of this comment.
All ads (even non-targeted) rely on tracking technology for frequency capping and to facilitate payment for correct display of the ad. If consent for placing a cookie automatically means that all subsequent processing of the personal data has to be based on consent, then this would seem to trigger the requirements in GDPR which require verifiable parental consent for the processing of personal data linked to delivery of online services. However, there is currently no realistic way to obtain parental consent for placing cookies. The ICO comment may allow a way out of this - by recognising that seeking consent to place a cookie does not mean that you are necessarily also seeking consent to process personal data.