“We’re Updating Our Privacy Policies”—Consent Under the GDPR
With the General Data Protection Regulation (GDPR), the European Union’s new privacy law having come into effect on 25 May 2018, thousands of companies have been flooding inboxes in recent weeks with emails asking for consent from recipients, seemingly to comply with the GDPR.
The sudden increase in such emails appears to be the result of a misunderstanding of the GDPR’s effect and, perhaps, a perception that emails seeking to obtain or refresh consent are the safest option for compliance. However, many of these re-consent emails may be unnecessary, as they are being sent to individuals who already have a commercial relationship with the companies.
In the United Kingdom, the data privacy regulator, the Information Commissioner’s Office (ICO), recently highlighted this point in its 9 May 2018 blog post on re-consenting, commenting that companies “do not need to automatically refresh all existing consents in preparation for the new law” and emphasising the high bar for valid consent set by the GDPR. The ICO also importantly pointed out that “it may not be appropriate to seek fresh consent” if companies are unsure of how they obtained the data in first place, as they may not have the grounds to contact the user at all.
While some companies are acting as if the GDPR is the first data protection law, consent for email marketing is already a requirement under the European Union’s ePrivacy Directive (Directive 2002/58/EC) (soon to be replaced by an ePrivacy Regulation) , which allows this type of marketing on an opt-out basis for existing customers.
What Counts as Valid Consent Under the GDPR?
The GDPR requires that companies collect affirmative consent that needs to be “freely given, specific, informed and unambiguous” to be compliant. If, for example, you are asked to subscribe to a newsletter in order to download relevant information, then consent is not freely given.
Silence in the form of not responding to an email will not count as valid consent, either, meaning that many companies currently sending waves of re-consent emails will now likely see rapidly reduced contact lists as individuals have to do nothing to withdraw consent.
Finally, the GDPR not only sets out the rules for how to collect consent, but it also requires companies to keep records of the consent provided. Therefore, it is important to have evidence of who consented, when they consented, what they were told at the time of consenting, how they consented, and whether they have withdrawn consent.
Consent in the Employment Context
It is widely accepted that in the context of an employer-employee relationship, employees cannot validly give consent for the majority of processing as the unequal relationship casts doubt on the voluntariness of the employee’s consent. In any event, given the requirements for valid consent, reliance on consent as the only lawful basis for processing personal data will be impractical in many cases.
In light of that, the legal grounds upon which an employer can rely to process human resources data typically include performance of the employment contract (e.g., for pay purposes, compliance with legal obligations such as the need to make income tax deductions) or the legitimate interests of the employer (e.g., processing data in order to effectively manage the employment relationship). The latter must be balanced against the privacy rights of the employee.
On the point regarding legitimate interests, particularly in the context of marketing communications, several organisations may wish to consider the GDPR’s statement that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Accompanied by clear opt-out messages, this may be an option which has the added bonus of helping to spare us all from consent fatigue.