The European Union’s General Data Protection Regulation (GDPR) sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used.
The GDPR definition of consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
It must be freely given, specific, informed, and there must be an indication signifying agreement. It must be unambiguous and involve a clear affirmative action. Various conditions for consent include keeping of records, clarity and prominence of consent requests, the right to withdraw consent and avoiding making consent a condition of a contract. There must exist clear granular choices for people upfront and ongoing control over consent.
Consent is one lawful basis for processing, but there are alternatives. Marketers should always select the lawful basis that most closely reflects the true nature of its relationship with individuals and the purpose of the processing. If consent is difficult, it may be because another lawful basis is more appropriate.
So, what are the alternatives to consent for processing personal data?
- A contract with the individual. For example, to supply goods or services they have requested, or to fulfill obligations under an employment contract. This also includes steps taken at a person’s request before entering into a contract.
- Compliance with a legal obligation. If required by UK or EU law to process the data for a particular purpose.
- Vital interests. If necessary to protect someone’s life. T
- A public task. To carry out your official functions or a task in the public interest – and a legal basis for processing under UK law exists.
- Legitimate interests. Private-sector organizations can process personal data without consent if there exists a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
Private-sector organizations will often be able to consider the “legitimate interests” basis if they find it hard to meet the standard for consent and no other specific basis applies. This recognizes that you there may be a good reason to process someone’s personal data without their consent – but marketers must ensure there is no unwarranted impact on the data subjects and that the process is fair, transparent and accountable.
Public bodies cannot generally rely on legitimate interests under the GDPR, but may be able to consider the “public task” basis instead.
Relevant guidance sets forth when to rely upon consent for processing and when to look at alternatives. In a recent blog post entitled “GDPR Consent and the Legitimate Interest Alternative,” FTC defense lawyer Richard Newman examines opt-in consent requirements, recordkeeping obligations and additional bases for processing information of EU residents, including, the legitimate interest justification.
Consult the author to discuss updating privacy policies and related disclosures in light of emerging regulatory requirements.
Richard B. Newman is an advertising compliance and regulatory defense attorney at Hinch Newman LLP.
ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.