EU’s Article 29 Working Party (Working Party) adopted guidelines (Guidelines) on the meaning of consent under the EU General Data Protection Regulation (GDPR). Under the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Further, consent must be a reversible decision where a degree of control remains on the side of the data subject after consent has been obtained. The Guidelines provide further detail on what is necessary to ensure that consent satisfies the requirements of the GDPR:
Freely given. Consent is not valid where there is an imbalance of power or where it is conditioned to the performance of a contract. In addition, consent must be granular and given separately for each data processing operation, and there should be no detriment to the data subject if the data subject elects to withdraw her consent.
Specific. Consent must be given for the processing of personal data for a specific purpose. Each consent must be accompanied by information specific to that request in order to make data subjects aware of the impact of the different choices they have.
Informed. To be fully informed, the following information must be provided to the data subject before consent is given: (1) the controller’s identity; (2) the purpose of each of the processing operations for which consent is sought, (3) the data that will be collected based on consent; (4) the existence of the right to withdraw consent; (5) information about the use of the personal data for decisions based solely on automated processing, including profiling; and (6) if the consent relates to transfers of personal data outside the EEA, information about the possible risks of personal data transfers to third-party countries in the absence of an adequacy decision and appropriate safeguards.
Clear affirmative action. Consent must be an unambiguous indication of the data subject’s wishes and must be given by a statement or by a clear affirmative action which signifies agreement to the processing of personal data relating to the data subject.
The Guidelines also provide information on the meaning of “explicit” consent, which must be obtained for processing of special categories of data, transfer of personal data outside the EEA, or for automated individual decision-making. Explicit consent requires an express statement. In online context, an express statement of consent could be given by the data subject by filling in an electronic form, sending an email, uploading a scanned document or using an electronic signature.