Consent means offering data subjects real choice and control over the collection and processing of their data.
- Make sure that your users have a clear understanding over the ways their data are being collected, processed and stored, and real choice and control over the ways they can offer and withdraw consent.
- Be aware that consent does not absolve data controllers’ accountability for what they do with data.
Under data protection laws, consent – in the form of a clear and affirmative action – is necessary. However, concerns have been raised about the ways it is usually obtained online with some critics calling it “meaningless” or “illusory” (see Rikke 2014).
The GDPR is set to raise the bar to a higher standard for consent with clarifications of what can and cannot count as consent, requirements for clear and plain language when seeking consent, and demands to make it easy for people to exercise their right to withdraw consent.
Under EU law, consent is not the only legitimate basis for data processing (there are five more; contract, legal obligation, vital interests, public task, legitimate interests). However it is important to note that even where consent plays an important role, it does not absolve data controllers from their accountability for what they do with the data.
Information Commissioner’s Office (ICO) Guide to the General Data Protection Regulation (GDPR) [Link]
Denham, E., “Consent is not the ‘silver bullet’ for GDPR compliance”, Information Commissioner’s Office blog, 16 Aug. 2017 [Link]
European Data Protection Supervisor (2015) Towards a new digital ethics: Data, Dignity and Technology, EDPS [Link]
Joergensen, R.F., 2014. The unbearable lightness of user consent. Internet Policy Review.
Edwards, L. and Veale, M., 2017. Slave to the Algorithm? Why a ‘Right to Explanation’is Probably Not the Remedy You are Looking for.Duke Law and Technology Review, 16 (1). pp. 1-65. [Link]