Under the GDPR there are six defined Lawful Basis that a business can rely upon for the processing or personal data.
- Performance of a Contract
- Legitimate Interest
- Vital Interest
- Legal Obligation
- Public Task
For consent to be valid, it must be;
- Freely given, not incentivised in any way
- The individual must not feel compelled to consent, whether that be by function, or some "imbalance of power" such as a service or employment
- Informed. Yuo must have given the individual, at the point of collection, all the information they need to make an informed choice, and be able to demonstrate they read and understood it.
- Gathered by way of an explicit action, such as clicking a button, ticking a box or taking some positive action to grant consent.
- Must be unbundled from any other processing activity.
- It must be as easy to "withdraw" consent as it is to grant consent.
For a person to be legally able to grant consent, here in the UK, they must be 13 years of age or older. They must be capable of giving informed consent, so if there is any doubt as to whether a person understands what they are consenting to, it could be deemed invalid.
Here are a few examples of where consent may be invalid;
1. Cookies (websites, mobile apps or online applications)
If you have a "Cookie Banner" on your website which says anything like "By continuing to browse this website, we assume you have agreed to our cookies", this is unvalid consent.
Firstly, you have "assumed" consent, it has not been given, but secondly, the act of continuing to do something is not taking an explicit action to grant consent.
2. Asking for consent where it is not required
It's surprising how many times we see this, but asking for consent where you do not need to (it is not appropriate) may render that consent, and any further processing based upon it invalid.
If you have an online checkout and on that page you say something like "by clicking submit, you consent to us processing your personal data in order to process your order".
The issue is, you have asked for consent, so you have explicitely stated that this is the lawful basis you rely upon to perform that action. The person cannot reasonably refuse consent without a clear detriment to them (not receiving the order they are placing), so are unable to grant consent freely.
3. Asking for consent to Marketing
Another common misconception is that you can say something like "tick here if you would like to receive marketing from us by post, telephone or email".
This is a "bundled" consent. Postal Marketing is not the same "purpose" as Email Marketing. There are most definitely different business processes that occur for marketing activities conducted by post, email or telephone, which all involve different levels of data sharing and data disclosure.
A person may wish to receive marketing by email, but does not want thier personal data passed to a telemarketing agency or a mailing house, so not only is it not fair to ask a bundled consent, they cannot give a free choice.
4. Preventing access to something because consent is not granted
If you're asking for consent, it has to be a genuine choice with no clear detrimental effect to not granting consent. If there could be such an effect, consent is probably not the right lawful basis.
They don't. Yahoo.com is a search engine, an email provider and more. TechCrunch a magazine. Other sites all have other reasons for existence. The only reason Verizon ask for "consent" is to place advertising cookies, and if you do not consent, you cannot view the site.
This has already been ruled as unlawful by a number of EU regulators because it is not offering a genuine choice without detriment. They could provide the same website content without "targetted" adverts, but instead choose to prevent anyone who doesn't allow them to place cookies for this purpose from using thier entire network of sites.
Consent does not always have to be given
Just to confuse matters, contrary to what some may say, and contrary to the GDPR, consent does not always have to be given.
Let me clarify because this is not strictly "consent";
The Privacy and Electronic Communications Regulations (which govern digital marketing activity) does allow for something called "Soft Opt-In". This is the assumption of consent, based on explicit action by a person who has shown interest in your products or services, or has previously purchased from you.
Providing you tell the person, at the time you capture the data, that you will use the information for a particular purpose, unless they take an action (like unticking a box) to revoke consent (opt out), the you can where there is a clear interest, assume a soft opt-in consent.
This is not really "consent" as it uses the Legitimate Interest lawful basis, however this does explain why it is still lawful on many web forms, to say something like "we would like periodically send you offers and information we think may be of interest to you, but if you do not wish to receive this, please tick this box"
Shockingly there are a significant number of systems out on the market which although claim to be fully GDPR compliant for gathering consent, do not gather it in sufficient detail. It is not sufficient to simply record in your database that Mr X consented to Email Marketing on the 25th June 2018 at 4:15pm.
What is an "Imbalance of Power"?
An imbalance of power exists where any individual asked for consent, can reasonably feel that by not granting consent there will be some detriment to them.
For example, if you ask employees to consent to having thier telephone calls made and received at work recorded, or for sales agents on the road to be tracked by GPS. An employee may feel that they have no choice but to consent or fear their job will be at risk. In that kind of scenario, consent is not appropriate and another lawful basis for that activity should be used.
It is for this reason that consent is rarely used in an employment context.