Consent under the data protection regime

Introduction

Consent is a form of expressed and immediate acceptance of the terms by the user. Consent provides validity and is binding under certain legal regimes. Data protection laws like the GDPR, CCPA, LGPD, PIPEDA etc recognises consent as a legal basis for processing personal data. It is a highly used best practice by organisations to obtain “informed consent” from the individuals i.e. data subject on each data collection points.

Forms of Consent

For smoother experience of user on website consents are now enabled by way of check boxes mentioning options to select and explaining the purposes of the data to be collected, stored and shared. This requires an affirmative action by user to treat the consent as accepted.

Another form was the Click-Wrap Contract i.e. an option is provided at the end of the terms statements for the user to click on Accept or Decline button as a mark of acceptance or rejection of the terms.

General Data Protection Regulation (GDPR)

Consent is defined under the GDPR as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Let’s break this down into five elements:

Freely given – the person must not be pressured into giving consent or suffer any detriment if they refuse.
Specific – the person must be asked to consent to individual types of data processing.
Informed – the person must be told what they’re consenting to.
Unambiguous – language must be clear and simple.
Clear affirmative action – the person must expressly consent by doing or saying something.

If any one of these five elements are missing, it won’t be considered as a valid consent under GDPR.

Under the GDPR, consent is not required –

For carrying out a core service (use contract instead).
For required to process personal data by law (legal obligation).
For processing personal data to the benefit of your company or others in a way that your users would reasonably expect, with minimal risk and impact on individuals (legitimate interests).

California Consumer Privacy Act (CCPA)

Consent is defined under the CCPA as:

“Any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.”

The CCPA doesn’t require active, advance consent. You can collect and use the data right away without any confirmation from the person. The only time when consent is required under CCPA is when you’re selling the data.

You could be “selling” personal data if, for example, you share data with third parties to produce personalized ad campaigns. For businesses, then, this means that there’s a good chance you could be selling data within the meaning of the CCPA.

In short, if there’s any chance, you’re selling someone’s data within the Act’s meaning, it’s best to proceed as if you are, which means following the CCPA’s “opt out” rules.

Indian Data Protection Bill (“DP Bill”)

The DP Bill provides the following grounds for consent to be considered valid:

free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;
informed, having regard to whether the data principal has been provided with the notice for collection or processing of personal data;
specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of the processing;
clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

The newly proposed DP Bill, 2021 brings in a clear and robust consent mechanism for the collection of sensitive personal data (“SPD”) and its processing specifically but personal data (“PD”) also in general. Accordingly, two major changes have been made to the draft legislation. First, with respect to SPD, the language as expressed in the consent clause has been amended to require that the explicit consent of the data principal is to be obtained by specifying in clear terms not just the purpose but also the conduct and context explicitly, without circumvention of any law and without any kind of implicit inferences. Second, in relation to PD, the services, quality of service, performance of a contract or enjoyment of any legal right or claim cannot be denied by the data fiduciary based on the exercise of choice by the data principal.

To learn more about implementing consent mechanisms in your organization, head over to our Data Privacy Services page to learn more about our services.

Disclaimer: This blog is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Leave a Reply Cancel reply

Cookie Consent