Does Consent Equal Compliance?

Under most data protection legislations around the world, companies that collect and process personal information are obliged to do so in a lawful manner. The most prominent data protection law to date, i.e. the General Data Protection Regulation (GDPR), under Article 5, requires that data is processed (including collection) in a lawful, fair, and transparent way. The GDPR provides a list of legal grounds, under which the processing is considered lawful. Some of those are performance of a contract, compliance with legal obligations, and consent from the data subject, to name a few.

In today’s interconnected digital universe, advertisers work with third parties who track, collect, share consumer information in order to provide the most relevant ads and generate sales. In fact, there is an entire marketplace where advertisers can buy data without the consumers even being aware how their data is used to customize their online experience.

These data vendors must collect the personal information, such as email, phone numbers, IP address, etc., by using one of the lawful grounds for processing. Aside from the illegal ways that personal data can be collected by companies for the purposes of selling it to advertisers – something we will address in a different article – the most common way to obtain personal data is by actually asking for permission through a website popup and cookie banners, which the consumers willingly agree to. In other words, most companies assume that if the consumer provides consent when entering the website, they are legally compliant with the data protection regulations and can do as they wish. To take it a step further, most B2C businesses employ the practice of obtaining consent in order to check the box of compliance.

However, consent does not always equal compliance. A careful consideration needs to be taken in order to determine whether requesting the consumers’ consent will actually protect their personal information and in turn, make you compliant with the applicable laws. For example, the rules for consent under the GDPR need to be followed precisely and only under certain circumstances receiving consent from a data subject satisfies Articles 5 and 6. For instance, consent needs be written and freely given, distinguishable, intelligible, in an easily accessible form, using clear and convincing language. These are independent requirements that need to be met altogether and if even one is not satisfied, it can qualify the entire processing as breach of the data protection law.

Moreover, companies that satisfy the above-mentioned requirements, may violate the principles of processing by passing the data to an advertiser or another party prior to receiving the consent. Most of the time, this happens as soon as the user enters the website, before the popup window or cookie banner shows up. Processing data prior to receiving consent is breach of the principles of processing under the GDPR.

Another example when consent will not automatically mean compliance with the data protection laws is in the case of ‘piggybacking’. In other words, when the consent is only given for a specific type of processing but the data controller uses the same data for other purposes in addition to those for which it received consent from the data subject.

The bottom line is that companies that obtain consent to process personal information from consumers may in fact be in violation of data protection laws because they are not in sync with the general intent of the law.