The Article 29 Working Party (WP29) has recently published its final guidance on Consent under the General Data Protection Regulations (“GDPR”). The final guidance can be found here. Consent is one of the six lawful bases on which personal data may be processed (Article 6 of the GDPR).
This guidance was initially published in draft form for consultation on 29 November 2017 and the consultation period ended on 23 January 2018. The main changes from the draft guidance include:
- There is a new section in the guidance addressing requests for consent online. The Guidance states that continued use of a site is not sufficient to amount to consent. It state states that “Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”
- The guidelines provide more detail as to the circumstances in which consent will have been ‘freely given.’ For example, in the guidance, WP29 notes that a controller may be able to show that consent is freely given if it offers a genuinely equivalent service where provision of personal data is not required. In the draft guidance, WP29 noted that this must include providing an equivalent service at no extra cost but this last statement has been deleted in the final guidance.
The Consent requirements under the GDPR are that consent must be:
- Freely given
- Informed; and
The guidance goes into greater detail as to how to ensure such requirements are met, as well as containing information relating to whether consent need to ‘explicit,’ how consent can be demonstrated and withdrawn, and consent when the data subjects are children.
Prior to 25 May 2018, organisations should in particular review their processes of data collection to ensure that all existing consent meets the GDPR standard and develop mechanisms for gaining, recording and managing the withdrawal of consent.