This article explores the use of consent to store information or access to storage of information on an end user’s terminal equipment. However, keep in mind that the last amendments to the ePrivacy Directive analyses other grounds for data processing, other than consent.
Useful? Embed this infographic on your website.
WHAT IS CONSENT?
Consent is a legal base by which a person can agree with the processing of his/her personal data.
Consent should have the same meaning as the data subject’s consent as defined and specified in Directive 95/46/EC, which will be replaced by the General Data Protection Regulation (GDPR) on the 25 of May 2018.
GDPR REQUIREMENTS FOR CONSENT
In accordance with the GDPR, consent should:
- Freely given; consent is not freely given when the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment;
- Specific; the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data;
- Informed; the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended; and,
- Given by a clear affirmative action, that indicates its agreement with the processing by a written statement, including by electronic means or an oral statement.
HOW TO OBTAIN A CLEAR AFFIRMATIVE ACTION?
In line with Recital 32 GDPR, the clear affirmative action could be provided:
- ticking a box on a website; or
- choosing technical settings for information society services; or
- another statement or conduct clearly indicating the agreement for the processing of his/her personal data.
It is also noted that can NOT be provided by:
- Silence; or
- Pre-ticked boxes; or
In order to shed more light, Recital 23 and Article 10 of the ePrivacy Regulation Draft Proposal states the following:
- Offer a set of privacy options. The options should be offered in easy and concise format and should include at least: a) never accept cookies; b) reject third-party cookies or only accept cookies; and, c) always accept cookies.
- The data subject must select one option in order to continue with the use of the website. Provision of a clear affirmative action to consent a setting.
- Present an easy way to change the privacy setting consented at any time during the use.
- Under the consolidated version of the European Council (December 2017), after 12 months, a reminder should be set providing the possibility to the user to withdraw their consent – as far as the processing continues. Except if the user requested not to receive such reminders.
- Use and easy to understand, concise and specific language.
Some cookies are exempted from consent in line with Article 5(3) of the current ePrivacy Directive:
- Cookies used for the sole purpose of carrying out the transmission of a communication; and,
- Cookies necessary for the provider of an information society service to provide with the service requested by the user.
- user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases.
- authentication cookies, to identify the user once he has logged in, for the duration of a session.
- user‑centric security cookies used to detect authentication abuses, for a limited persistent duration.
IMPORTANT NOTES REGARDING THE USE OF CONSENT
- Check if the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.
- In case of using cookies for different purposes, you will require a consent for each purpose.
- Provide with an easy manner to withdraw consent at any time. Check with your IT department for the necessary update of the system.
This lawinfographic aims to present the use of consent to store information or access to storage of information on an end user’s terminal equipment in line with the GDPR, ePrivacy Directive and Draft Proposed Regulation.
The following are some key points to keep in mind:
- Special attention should be given to the consent to use third‑party session and persistent cookies, the data collected may be transferred beyond the EU’s legal jurisdiction (EU, EEA* and Convention 108).
- Above all, ensure the choice of the user is respected. Do not store cookies or similar technologies without the consent of the users.
- This also affects mobile applications which store information on smart devices and some can even access data on the device.
* Currently, the GDPR is not relevant for the EEA (no yet, but soon): http://www.efta.int/eea-lex/32016R0679
- General Data Protection Regulation https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
- ePrivacy Directive https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058
- ePrivacy Proposal Draft Regulation https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010
- Consolidated version of the European Council (December 2017) – ePrivacy Proposal Draft Regulation: http://www.consilium.europa.eu/register/en/content/out/?&typ=ENTRY&i=LD&DOC_ID=ST-9324-2017-INIT
- Cookies exempt from consent – WP29 http://ec.europa.eu/newsroom/article29/news-overview.cfm
- Guidelines on Consent under Regulation 2016/679 – WP29 http://ec.europa.eu/newsroom/article29/news-overview.cfm