After the General Data Protection Regulation - GDPR - went into effect in 2018, there has been a scramble in the industry to ensure that all processing of personal data is done in accordance with the law. This is great, and core to making GDPR work as intended. But in the haste to cover all their bases, a lot of companies have gone a bit overboard with their requests for consent. It is important to understand that you do not need the user's consent for processing of personal information to be legal. Sometimes, it can even be highly problematic to rely on consent. Let's check it out!
Most of you will by now be familiar with being asked for consent on almost any webpage. "Do you consent to our cookies?", "Is it A-OK if we share some details with our advertising company?", "Would you mind if we sold your firstborn into slavery?". We mostly click yes without thinking.
But why are there so many things we have to consent to? Sometimes it is good to be asked if I really wanted this site to send me emails every hour for the next year, but other times, I have to consent to things that seem obvious that I would want. Alerts if my account has an issue, storage of my phone number when I sign up for a messaging service, or keeping my address to send me bills. It seems so strange to be asked for this. Usually, the site is also pretty clear that if you don't consent, you can't proceed. So why bother asking?
There's really no reason! To understand why, we need to get a bit technical, but stick with me.
GDPR article 6 describes all the ways you may legally process the personal information of an EU-citizen. While consent is a lawful basis of processing, there are actually 5 others, and two of them can be used to a much greater extent than today.
Performance of contract
If your processing of personal information is necessary to fulfil your obligations under a contract with the person in question, you are allowed to do so, and you do not need an explicit consent. You must still inform the user that this will happen, but there is no need for flashy pop-ups and large green consent buttons.
As en example, say that you run a website where you sell images of cute dogs. I want to buy one of your paintings, so I click checkout, provide my name and shipping address, and hit the order button. You do not need my explicit consent to use my address in order to ship me the painting. As part of your fulfilment of the contract I just entered into, you need to process my address, and you are therefore allowed to do so. There might be several legitimate uses of my address for the purpose of fulfilling the contract. Maybe you need to ship a frame as a separate package, or you need to ship i replacement item because the transport service lost the original. This is all fine if you use performance of contract as your processing basis. Should you however decide to use the address to ship me advertisement, you'll be in trouble, that is not a necessary part of delivering my picture.
This is perhaps the broadest basis for processing. You can claim any interest you have in processing the data. This might be that you need it to understand what products your users want, it is necessary when looking into errors in the system, or even marketing, if your business can not survive without it. But, you have to make an assessment of how this affects my rights as the owner of the data, and must weigh your interest against any harm to me. You must also be transparent about this decision. Only if you find that your interest outweighs any harm to me are you allowed to proceed.
The main challenge with legitimate interest is that is impossible to be certain that the assessment will be accepted, should you end up in court. There will always be a risk that your assessment is viewed as wrong by the data protection authority or the courts, putting you in potential trouble.
So why do we often fall back to consent as the basis of processing? Because it's easy! It's easy to ask, and when you have asked, your legal department is all happy and will let you move along with your day. No risk that you get any trouble with the authorities or the courts, all is just blue sky! At least, that's the misconception that drives the hunt for consent.
In reality you can get into a lot of problems if you use consent as your legal basis where another basis is more fitting. Say you use consent as the basis for your processing of the name, address and payment details of one of your customers. You ship the order and get paid. After the picture arrives at the recipient they contact you to withdraw their consent, and asks you to delete all information about them. They then contact their credit card issuer, and dispute that they made the purchase. When the credit card issuer contacts you, there is no way for you to prove that they indeed ordered the picture (and if you are still able, you will probably get reported to the supervisory authorities for breach of the privacy regulations).
There are also specific rules about consent, and how it can be given. This is laid out in article 7, and should you fail to comply with this, the consent is automatically invalidated. The consent must also
(...) be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
One could also argue whether a consent given when another basis for processing could have been used will be valid. For a consent to be valid, it must among other things be freely given. But if you make it impossible for me to buy a painting without me consenting to your processing of my address, how freely given was that consent?
All of this is a lot of hassle when collecting a shipping address, especially when you could just rely on "performance of contract", and simply collect the information needed for you to fulfil the agreement with your user to ship an image of a cute dog.
Don't just automatically chose consent as your basis for processing of personal information. Not only might it give you more work than needed, it might also land you in some trouble that would take away time from what you really love - presumably taking cute pictures of dogs 🐶