Back in March there was a clamour of excitement, with the ICO publishing draft guidance on consent under the forthcoming GDPR. The Regulator also began a consultation, for organisations to provide their thoughts. More than four months on, with the consultation long-closed, we still have no final guidance and the initial promise of June has been and gone. Now, the ICO says its final guidance won’t be published until the Article 29 Working Party of the European Data Protection Authorities (WP29), has agreed its European-wide consent guidelines. This is not anticipated until late this year.
Unsurprisingly, organisations told to hurry up and prepare for May 2018 are frustrated; consent is a crucial issue. A draft is a draft and subject to change and any alterations could have a significant impact. Do organisations jump now and adopt the draft guidance and risk going too far?
The tough stance taken in the draft certainly presents a real challenge for many, and in some cases the requirements are simply impractical to implement. Organisations need to know for certain what the ICO expects. There are also areas that are just not covered where further guidance would be most helpful.
Naming third parties
The requirement in the draft to name every third party with whom data might be shared, would prove problematic for many to meet. Third party lists regularly change, and surely if consumers are presented with a third party opt-in statement (with sectors transparently provided) this would be sufficient for them to make an informed choice. They wouldn’t be forced to tick the box.
Hosted email campaigns
In many cases data held by a Controller is not shared with a third party, but communications are sent out containing marketing from third parties. Would that third party need to be specifically named at the point of data collection? The draft doesn’t cover this and yet this is common practice.
A conflict is presented when the ICO advises granular consent is collected for each distinct processing activity. How do organisations do this, while still meeting the requirement to ensure privacy notices are as clear and easy to understand as possible? Many large organisations may have the resources to ensure privacy notices are presented in an easy to navigate layered format, but we may see notices increasing to the point where they are actually harder for consumers to digest.
Earlier this year the ICO made it clear there will be no grace period, thereby ruling out the ability to carry on using existing consent collected under current law. Requiring businesses to re-consent the personal data they hold represents a serious burden. Many are also fearful of falling foul of the current rules, seeing the recent fines levied against Honda, Flybe, Moneysupermarket and Morrisons.
What can you do now?
In the absence of the certainty final guidance would provide, organisations can only go with what they know and what might present the ‘worst-case’ scenario. Being prepared for the latter may be wise. What is unlikely is the ICO backing down on the statement, “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.” And, increasingly, this is something consumers regard as suspicious.
In its draft, the ICO stressed consent should only be used when consumers can be given a genuine choice. Many are therefore looking to other legal grounds for the processing of personal data, such as Legitimate Interests. The Data Protection Network has recently published Guidance on the use of Legitimate Interests.
Another challenge organisations face is the prospect of an ePrivacy Regulation governing electronic communications. This would replace the EU ePrivacy Directive (which gave us PECR in the UK), and the aim is for this new regulation to come into force in line with the GDPR next year. However, the final text has yet to be published and rumours are growing it may be delayed. Will the soft opt-in be retained but its scope limited? Will there be a clear distinction made between business data and consumer data? ePrivacy – what you need to know?
A final ePrivacy text and more consent guidance simply can’t come soon enough, ensuring compliance isn’t easy when you don’t know precisely where the goalposts stand.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.