Consent

“Consent” means a user-initiated action to agree to the processing of personal data. Regulators tend to balance the level of consent required based on the likely risks to people from the processing of their personal data.

People can signal their lack of consent or withdraw previously given consent by initiating an opt-out signal. Opt-in consent is called also "explicit consent" or "express consent." Opt-out consent is also called "implicit consent."

Regulator Perspectives

To inform people of the potential risks involved with processing personal data, GDPR requires that at a minimum the categories of organizations that will receive personal data after they signal their consent.^[1][2][3]

GDPR defines two levels of consent:

• Article 4(11) defines “unambiguous consent” as “freely given, specific, informed and unambiguous…affirmative action” for standard use of personal data^[4]
• Article 9(2)(a) defines “explicit consent” as affirmative, opt-in consent for more sensitive or risky use of personal data^[5]

The EU legislature that wrote GDPR intentionally distinguished these two different levels of consent were, given the different levels of risk for processing sensitive personal data and other processing of personal data:

“The way in which consent is to be given by data subjects remains “unambiguous” for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.”^[6]

The UK ICO report on real-time bidding in relation to GDPR and Privacy and Electronic Communications Regulations (PECR) also clarified the level of consent should be proportional to the level of risk. Given the initial notice and choice an individual provides to set a digital identifier, the ecosystem that relies on these identifiers does not need explicit consent, unless the data transfer involve sensitive category data.

"Special category data is more sensitive than ‘ordinary’ or non-special category personal data, and needs more protection, as our guidance makes clear…. For example, ‘Special category data is personal data which the GDPR says is more sensitive, and so needs more protection’ and ‘this type of data could create more significant risks to a person’s fundamental rights and freedoms’…. Bid requests that comprise non-special category data do not require explicit consent under Article 9. However, due to the use of cookies to process this information, consent (to the GDPR standard) is still required under PECR at the initial point of processing. (Previous guidance from the Article 29 Working Party indicates that the consent can apply to subsequent processing of the data within the ecosystem, as long as it remains valid.)"^[7]

The Canadian privacy regulation, Personal Information Protection and Electronic Documents Act (PIPEDA), also reinforces the distinction to ensure different levels of consent are collected when processing sensitive personal data:

"The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate... The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.^[8]

References