End User Consents Under the GDPR – Part 1: Issues Relating to Consent

Mar 2, 2017

Consents can be collected from the end users, for example, for the purpose that a company wants to send a weekly online newsletter to its customers or when a mobile app needs to process location data of its users to tell the right path to the nearby restaurant. However, while consent is a mechanism for the user to control the use of one’s personal data, on the other hand, using consent as a basis for processing invokes many data protection related issues.

From the end user’s perspective collecting consents can be exhausting and frustrating. Commonly the person trying to register for an online service just wants to get the registration done quickly by clicking through the pages without reading privacy policies or terms of use. By doing so, the end user may not actually acknowledge that he or she is giving a consent. This is not helped by the fact that often consents are hidden in the heavy privacy policies, which may not provide a clear picture of what the person is actually consenting to. This might lead to unpleasant surprises when the user understands the effects of his or her consenting. A good example is the way how social network services place targeted advertising on their end users based on their consents. Harmless, many would say, but in some cases it may lead to some unwanted consequences. For example, the ads promoting motherhood clothes which the mother-to-be has liked might end up in the Facebook newsfeed of her Facebook friends in case she forgets to adjust the setting “pair my social action with the ads”.

Legal councils and privacy specialists often advice controllers not to rely on consents as a primarily basis for processing personal data if possible. The primary reason for this is that the users can withdraw their given consents at any time and execute their right to be forgotten and have the collected information erased. In addition, the requirements for a valid consent have been unclear. Nevertheless, despite this, consent has traditionally been widely used as a basis for processing of personal data as it has been relatively easy to use and it applies to many situations. This has led to the discussion of “privacy by consent” kind of thinking. With this it is meant that the processing of personal data is fine if the user just has given his or her consent. This is dangerous as it may lead to the use of invalid consents and neglecting other data protection rules and principles.

One of the goals of the data protection reform has been to clarify and strengthen the rules on consent. Thus, the General Data Protection Regulation (GDPR) has made the rules on consent considerably stricter. When this is combined with the strengthened accountability and transparency principles under the GDPR, consent is no longer an easy way to justify any processing, if it ever was. It should be noticed, however, that for example the processing of sensitive data and automated decision making that produces legal effects to the data subject can be based on the explicit consent of user under the GDPR. Thus, it is vital that the requirements for valid consent are clearly defined.

The second part of this blog series includes a check-list of the golden rules for the data controller in case they want to use end user consent as a basis for processing under the GDPR.



Sini Mickelsson, Privacy Specialist