The data protection principle of consent is one of the significant areas of the General Data Protection Regulation (GDPR) that’s changing from the existing data protection rules and the one area that’s got marketing people over excited due to it’s rules about consent being “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” An indication that when consent is the lawful basis for processing you not only need to be clear about what you’re asking consent for but the data subject has to make a positive confirmation (i.e. no more pre-ticked boxes).
So it’s no wonder that we’ve all been waiting for clear guidance, particularly from the Information Commissioner’s Office (ICO) on what consent actually means in practice.
The ICO published their draft consent guidance for consultation back in March of this year, with a view of publishing the final version in the summer. That was then delayed with a view to publishing in December when the Article 29 Working Party (the European group of regulators) had consulted on it’s own consent guidance.
However, the Article 29 Working Party have only just published their own consent guidance for consultation and are seeking views on it by 23rd January, indicating that the long awaited ICO guidance won’t be appearing till next year (I’m guessing February at the earliest).
The A29WP consent guidance can be downloaded here and covers (amongst other things), what constitutes valid consent and how to collect it. There’s quite a lot to take in, but it does give you, which the ICO guidance does too, an indication of the basic thinking about valid consent, including when you’re not collecting consent electronically.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR