Financier Worldwide Magazine

Consent in daily life appears to be simple: it is a yes or no question. Consent in legal terms, and in particular the consent introduced by the General Data Protection Regulation (GDPR), is rather complex. Strict requirements are tied to a valid consent imposing practical challenges on what appear to be simple daily life situations.

Authors: Andreas Splittgerber

Under the GDPR, consent has to be informed and given freely. That means that a data subject must have an informed choice as to whether data processing will take place or not. Furthermore, consent has to be concrete. General or broad consents do not constitute effective consent. Additionally, the GDPR requires consent to be explicit. A data subject has to consent actively – pre-ticked boxes and similar circumstances would make a given consent non-binding under the GDPR.

The GDPR also manifests the obligation to offer the possibility to withdraw consent at any time. Taking it even further, withdrawing has to be as easy as it was to give consent. Prior to giving consent, a data subject has to be informed thereof. The toughest requirement comes with Article 7 (1) of the GDPR, which places a controller under an obligation to prove that consent was given. This entails proving that it was given in an informed, free, concrete and explicit way, as well as being obtained prior to data processing (if the legal basis for processing is consent). This obligation inevitably leads to consent management in some form.

Consent management for websites

A simple situation that becomes complex under the GDPR is visiting a website. If a website has integrated tags, it needs the consent of the website visitor if its purpose is tracking, retargeting and profiling, as the data collected by tags is considered personal data under the GDPR. Obtaining and documenting the informed, free, concrete, explicit, prior and easy-to-opt-out consent of website visitors requires a technical solution. This can be done in-house, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource consent management to a specialised provider.