We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


GDPR bans pre-ticked boxes

02 Mar 2018 GDPR Print

GDPR bans pre-ticked boxes as consent changes

Consent is one of the lawful grounds for processing of personal data. But the upcoming GDPR could require firms to significantly change the consent wording on their data request forms.

The GDPR defines consent as a freely given, specific, informed and unambiguous indication of a person's wishes.

WP29, which gives independent advice to the European Commission, has now defined free as implying actual choice and control for data subjects.

Therefore, if consent is bundled up into other non-negotiable contract terms and conditions, it is presumed not to have been freely given.

Consent and contract should not be merged into each other, WP29 declares.

Granularity

WP29 also signals the importance of 'granularity' or the level of detail in datasets.

Consent is presumed not to be freely given if the process doesn't give data subjects separate assents for separate processing activities.

Specific consent can only be given when data subjects are specifically informed about the intended purposes of data use.

WP29 points out that the GDPR introduces a high standard for informational clarity and accessibility. A data controller should, therefore, weigh up what information to provide, and how to provide it.

WP29 is clear that the data subject must deliberately consent to the particular processing of their data to comply with the requirement for 'unambiguous' consent.

A blanket acceptance of terms and conditions is not a clear consent.

Pre-ticked boxes which then must be unticked to prevent agreement will not be allowed under the GDPR.

The WP29 weighs up the issue of the imbalance of power between the controller and the data subject.

It points out that public authorities are unlikely to rely on consent for processing, since the data subject will, in general, have no realistic alternative except to comply with public authority.

WP29 says that there are other lawful bases, such as compliance with legal obligation, which are more appropriate for public authorities.

The same imbalance of power exists in the context of employees, whose data is unlikely to be deemed as freely given, according to WP29.

 

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Copyright © 2024 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.