The GDPR requires consent as a basis for a company to transfer personal data.  Prior to the GDPR, EU Directive 94/46/EC only required “opt out” consent, which could be implicit.   The GDPR however, requires that the data subject agree to or make “a statement or clear affirmative action” granting such consent for use or transfer of personal data. 

Consent must be “freely given, specific informed and unambiguous.”  This is more than implicit, but less than explicit.  The data subject needs to express consent through “a statement or clear affirmative action” which can include clicking, choosing settings, making a statement or undertaking conduct that clearly indicates assent to the collection or use of their personal data.  The consent must be for the items to be processed, how they can process them, and who can do the processing.  Consent cannot be inferred from inaction or ambiguous actions.

For those in the United States, the GDPR consent required is akin to that of our “clickwrap” agreements, as opposed to the more implicit “browsewrap” agreements.

The GDPR goes further however.  It also gives data subjects the right to withdraw consent as well as the right to give it, and controllers must make this aware to them prior to the grant of consent. Once consent is removed, the data must be deleted and not processed in any manner.

The controller must not make a service conditional on the granting of consent, unless the processing is necessary for the service.

There is a presumption that the consent is not freely given if the controller is in a position of power.

Lastly, the consent must be specific for each item of processing. To be specific enough, the request for consent must be “clearly distinguishable” from any other matters in the agreement/document.  The request must also be in clear language.  A controller doesn’t need to get follow up consent if the initial processing consented to is “compatible” with future processing.  Generally its compatible if the processing purposes, expectations, nature and consequences are similar and safeguards exist.

Special Categories of Personal Data

While the GDPR covers all personal data, there is a subset of personal data referred to as “special categories of personal data” which are:

racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  Art. 9, Sect. (1).

The consent needed for these categories is heightened from the general consent required (clear affirmative consent is needed), and each EU Member State can pass additional laws regulating same.

Children

GDPR prohibits children from consenting to processing without parental authorization.  Children for this purpose are those under 16, although each EU Member State can set a lower age not below 13 (the UK has said it will set it at 13).  The controllers must make reasonable efforts to verify that a parent or guardian has provided the necessary consent.