““Consent” is a concept in the Data Protection Act linked to the first principle of fair and lawful processing and in my experience wasn’t particularly the subject of hot debate until mass digital marketing became the preferred choice of communication and PECR (the Privacy and Electronic Communications Regulations) came along.
Consent was often and actually still is mixed up in many minds with email opt-ins and opt-outs. Confusion often reigns regarding the use of implied or explicit consent in various circumstances and remains an area of legal uncertainty. It appears to be perfectly acceptable to acquire consent implicitly where the processing is not intrusive and even in circumstances where explicit consent should be obtained, many data controllers take a commercial view and work with implied consent reasoning that the potential loss in revenue from moving from implied to explicit is a greater threat than the compliance risk and potential sanctions.
The General Data Protection Regulation does a pretty good job of cutting through all of this and providing greater legal certainty – far more black and white rather than grey. The bad news is that some folk won’t like the black bits but in general my view is that applying the GDPR rules will be a whole lot easier than under DPA and PECR.” – Phil Brining, Data Protection People, January 18th 2016
Consent is one of the areas of GDPR that is causing the most debate – particularly for those processing data for the purposes of marketing. The legal text is confusing and clarification from the DMA and ICO is sketchy to say the least.
Phil’s article cuts through the fog, stating exactly when you’ll need to seek consent for a wide variety of data processing activities including privacy notices, the processing of children’s data and the terms needed to ensure ‘informed consent’.