Consent and Consent Fatigue under GDPR
Under GDPR every new purpose requires new consent and consent cannot be assumed by default. This could lead to consent fatigue where a data subject blindly refuses or mindlessly accepts to consent. Perhaps there is a lawful way to balance this.
Sharda Balaji & Manas Ingle
Data is the new oil and the European Union with the new General Data Protection Regulations (GDPR) wants to regulate it, come May 2018.
Given the wide territorial scope of GDPR the Regulation applies to the processing of personal data of a person (data subject) who are in the EU, regardless of where the data is processed, ie. in EU or outside of EU. Hence, if a company has data of any person based in EU, then GDPR compliance become applicable and important.
Conditions for Consent
The conditions for consent are detailed in Article 7.
There should a genuine choice on the part of the data subject when providing their data and that they should not have been misled, intimidated or negatively impacted by withholding consent. Further, it is clarified that consent is not freely given if the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment (Recital 42); and/or there is a clear imbalance between the data subject and the controller (Recital 43).
Consent must relate to specific processing operations. Consequently, a general broad consent to unspecified processing operations as they might arise will be invalid. To the extent data processing has multiple purposes; consent to those processing activities should cover all those purposes (Recital 32). Consents should also cover all processing activities carried out for the same purpose or purposes (Recital 32). It would be quite a challenge to identify all the purposes at the time of collecting data. If in the continuum of providing various services, then obtaining consent for all of those services would be required along with an option to opt-in to those services.
The data subject should be aware at least of the identity of the controller and the intended purposes of the processing, (Recital 42); a right must be provided to withdraw consent, which would be a massive task to work through back-end technology to make this possible. GDPR tries to provide a right to the data subject that withdrawing consent, at any time, should be as easy as giving consent. However, this poses considerable challenge in practice, which means relying on consent is somewhat unreliable. Further information must be given to the data subject to ensure fair and transparent processing.
Unambiguous or Clear Affirmative Action
A statement or clear affirmative action means that the individual data controller or processor has to make sure that the data subject is given the chance and opportunity to give his consent for the purpose and manner in which his information or the data provided by him will be used. A data controller can only use the data or information collected from the data subject when there is an affirmative action associated with part of the data subject.
Every new purpose requires new consent. Multiple purpose requires multiple consent. Every action must have affirmative consent. Consent cannot be considered as default option prior to processing. Think of an IOT scenario, where the data subject could be bombarded with consent requests. Faced with such a situation, the data subject could mindlessly accept any consent request that might come, which makes “consent” a meaningless exercise.
The other situation might be that the Business upfront collects exhaustive consent on all the activities, but the data subject may get tired of ticking those boxes. It is scary for business, because of the friction it causes at the time of gaining new customers and if the data subject does not take the time to tick those boxes.
If the consent statement is broad trying to cover all aspects, then there might be a fear of not being ‘specific’ or ‘ambiguous’.
In response to the click fatigue issue, the Article 29 Working Party (WP29) has provided guidance on 28 November 2017 and says “An often-mentioned example to do this in the online context is to obtain consent of Internet users via their browser settings. Such settings should be developed in line with the conditions for valid consent in the GDPR, as for instance that the consent shall be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.”
For businesses having customers in EU, it is a challenge to be met.