GDPR and Granularity of Consent (how many tick boxes)

Transcript of the Video

Good evening, everybody, Suzanne Dibble here, Data Protection Law expert, coming to you raw and uncut on a Saturday night, and today I am talking to you about GDPR and granularity of consent, and there's been a lot of talk in the group about the granularity of consent, and tick boxes. How many tick boxes do you need to have your consent, and the different types of processing, the different purposes, what is the answer?

Well, I'm afraid that the answer is, we just don't know. The Working Party guidance that has been adopted, but is still to be finalized, says some things about the granularity of consent, but there's still a lot that is, it's just not clear. So I'll read you what they say about it. For those of you who aren't up to speed with this discussion by the way, hopefully, you know by now that GDPR imposes a higher standard of consent than we have under existing regulations. Consent is just one lawful ground for processing personal data, okay. But when you're relying on consent as your ground for processing, then that consent has to meet certain conditions, and one of them is that the consent is granular, which means that it is you don't bundle the consent all together in one tick box. That there has to be genuine choice and control by the data subject, as to what they want their data to be used for, and what they're consenting for their data to be used for.

So, let me, this is the Working Party guidance that I've got here. Okay, so it basically says exactly what I've just said. "A service may involve multiple processing operations for more than one purpose. In such cases, the data subject should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, several consents may be warranted to start offering the service, pursuant to GDPR." Okay, so clearly the Working Party there, are anticipating that you could have several tick boxes in order to start offering the service.

It goes on to say that, "Recital 43 clarifies that consent is presumed not to be freely given if the process straight procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations respectively." You may recall that one of the ... another of the conditions of consent is that it's got to be freely given. Recital 32 states, "Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom."

"This granularity is closely related to the need of consent to be specific," which is another condition of GDPR compliant consent. "When a days' processing is done in pursuit of several purposes, the solution to comply with the conditions of valid consent, lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose." Now they give one example in the Working Party guidance, and it says, "Within the same consent request, a retailer asks its customers for consent to use their data to send them marketing by email, and also to share their details with other companies within their group. This consent is not granular, as there is no separate consent to these two separate purposes, and therefore the consent will not be valid."

So that's a useful example. It's one that I've used a number of times. You would need two tick boxes. One for details of marketing by email, and the other one to share details with the other companies within that group. Okay, so that is literally all there is, and note that, that is adopted but still to be finalized. There was a consultation on this guidance that only closed at the end of January, so obviously the Working Party is going to take its time to look at all the responses to that consultation, and then probably publish a final guidance on all of this.

And then, whilst I was looking into this, I came across some advertising, an online behavioral advertising company called Page Fair, and I'll post the link to the article in the comments below this video. But they took it to the, well not even to the extreme, they just broke down the different purposes of data processing and online behavioral advertising, and came up, just in that, what you might think of as one activity, the 10 different potential tick boxes just within that. And then there was a question over whether you would need to identify, because within that advertising there's a whole number of different controllers and processes, so whether you'd have to identify those within those tick boxes as well.

So, it's very unclear, very unclear. I think certainly that this, although it's not in the guidance as an example, I think if you are processing by post, by email, by text, it's always sensible to offer tick boxes for those separate options. But the answer is, I'm afraid we just don't know. We just don't know. And all we have is, is the fact that consent must be given, and must be granular so that data subjects have the choice and control. That's what it all comes down to ultimately. And it's very well when the legislators are sitting there writing legislation and it's a very noble purpose, that there will be this granularity of consent options, but when it comes down to it, and people actually start thinking through the practical consequences of it, then it gets a little bit more difficult.

So some really interesting questions in the group, but I'm afraid to say, nobody really knows the true answer. And I did see, yes I just saw the comment in the group about somebody had called up the ICO, and the ICO had said that too many options could be bad, too many tick boxes could be a bad thing. I completely agree. I read another article that commented, that it could lead to click fatigue, where it serves the opposite purpose to what the legislation is trying to do. In that if you break down the purposes too much, people just aren't going to read it, they'll just tick; tick, tick, tick, tick, or they'll go away from the site. So, it's a really difficult question, and it'll be really interesting to see how it plays out in practice.

And I know this is not very helpful, for those of you who are trying to work out if you need to make any modifications to your websites, and to your sign up boxes and things like that. It's really not helpful, but that's where we are, and obviously, I'm watching the space on any updated guidance coming from the Working Party, and I'll let you know as soon as we get that. But, at the moment, really all we have is our own best guesses. I mean what am I going to do? Well, I'm going to break it down, as much as I can. But I don't actually do that much with ... If I think, thinking of the principles, and that's what I always try to take it back to, you know what would I expect my prospects or people that I am processing data about to want to know, and really it comes down to, probably for me, more of the marketing emails.

So I would break mine down and I would say, "Would you like to receive some free legal resources from me? Would you like to receive details if you would you like to receive any promotions? Would you like to receive," what else would I ask them? That's probably it, to be honest, with my simple business. So I could probably keep it to sort of two or three tick boxes, but it depends what type of business you're in. If you're data processing and online behavioral advertising, for example, then you might need to be a lot more detailed about it.

So I'll post this article in the group. Let me see if there's anything that comes out of it, that I can tell you. No, I'll post it in the group because I'll say the way they've come up with 10 different types of tick boxes, and if as a customer or a prospect you were faced with table, and trying to make sense of it, it just wouldn't happen really. Yeah, so that's where we are. If anybody else has any practical insight on that in terms of, you've spoken to the ICO, or any thoughts about how you're going to break it down, then share it, because the answer I say, we don't know. We don't know. So it'll be interesting to see what people are doing on that.

Okay, so I'm not going to say, I hope that was helpful because it's probably not. I hope that updates you, as to where the guidance is with the issue of granularity of consent, and how many tick boxes we need to have, and I say I promise to keep you updated with any further consent that comes out. Have a brilliant rest of your Saturday evening, and I'll be seeing you tomorrow.