What is “Informed Consent”? [the GDPR Series (4)]

Summary: Data processing activity will require “informed consent” from data subjects which will require organizations to rethink their business models and user experience options.

• “Informed consent” is one of the prerequisite for data collection by organisations.
• GDPR stresses that data collected should be “freely given” and specific.
• Departure from conventional sign-up processes.

Article excerpts from my forthcoming book – 99 Articles on the GDPR

With regards to the GDPR, when speaking of data protection, the underlying theme is that the data subject aka an EU citizen aka the customer is in control of their personal data and have given 100% informed consent on whether and how this data is being used by an organization. For data to be utilized by an organization, the customer must give “informed consent” to process personal data so this post will explore how this term is definied within the context of the GDPR?

To give guidance on what “informed consent” means, the Article 29 Working Party (WP29) was formed. The WP29 is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. In December, 2017, the WP29 clarified the definition of consent (below).

The definition of consent at Article 4 (11) of the GDPR for the data subject means:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

To understand the definition, it would be best to break it down into its relevant parts (bold) and explain further.

Freely Given

The GDPR is meant to give customers broad control of their personal data without having undue pressure placed on them to obtain consent. The term “freely given” is as much about empowering consumers as it as incorporating design thinking into any consent form. Consent has to be free of preconditions.

Specific

The customer must understand the specific purpose to which their data is being used. If an organization processes data for a specific activity, consent must be given for that specific purpose. It’s not enough to say that company A will use data for direct marketing but they must also receive consent for companies that may use data for indirect marketing. The WP29 states that such specificity is in place to avoid “function creep” – the use of data for other purposes after the consumer gave prior consent for a different specific purpose.

Informed

The WP29 has indicated that, at least, the necessary details required for consent to be “informed” are: (1) controller’s identity (who is using the data); (2) the purpose of each of the processing operations for which consent is sought (why are they using the data); (3) the type of data collected and used, the existence of a right to withdraw consent (what data is being used and how to take back consent); (4) information relating to the automated processing of data and; (5) where necessary, any international transfers of personal data. Also, to be “informed” means that the customer must un

Unambiguous Indication of the Data Subject’s Wishes

To adhere to these words, organizations will have to design privacy into their user experience. The competing forces at work here is allowing a data subject to give, i.e., “opt-in”, and withdraw, i.e., “opt-out”, consent against creating an unobtrusive experience that does not cause, as the WP29 calls it, “click fatigue”. For example, data subjects will have click on unchecked boxes to allow for informed consent but, too many of these boxes may cause the data subject to abandon usage of the product altogether.

By a Statement or By a Clear Affirmative Action

Clear affirmative actions are actions by the customer that they know signify agreement. In the example above, if someone says “Yes, I agree” or ticks an unchecked box to say “I consent”, they have indicated their consent through an affirmative action. As we move into the IoT realm, the WP29 has said that motions could also be considered to satisfy this requirement so there is leeway to develop affirmative acts within the context of the GDPR.

The broad use of personal data is dead. Organizations will have create new user experiences which move away from the typical signup process. Customers will no longer blindly hand over their rights to personal data without knowing the purpose. Informed consent will require organizations to clearly state their intention and use of your personal data while also creating an audit trail of consent. It’s a dynamic environment that companies are scrambling to adopt to but one in which business models will have to adapt to so that new options are created to attract and retain customers.