In any data protection or information security management framework, consent management or the lack thereof springs many things. The existence of a solid consent management framework plays a critical role in a company’s data protection strategy, and the absence can lead to infringement of the freedoms and rights of data subjects.
The problem arises when data controllers do not meet the rigorous requirements of consent management.
In this article, I intend to break down some complexities in consent management. Consent, to give contextual meaning, requires that data subjects carry out affirmative action and freely allow data controllers to process their information for specific purposes.
When consent is freely given, then it is expected that a data subject can easily withdraw such consent without detriment. For example, a travel agent asks customers to use their GPS to refer them to hotels. If the person agrees to that particular tracking feature, they should also be easily able to retract such consent. If the client refuses to consent, that should not stop the company from meeting pre-existing contractual obligations.
Another interesting scenario is when a bank asks customers to consent to use their payment details for direct marketing purposes. However, this processing is not necessary for the performance of the contract and other bank services. If the customer refuses to consent to the marketing purpose, it shouldn’t lead to the denial of banking services or closure of a bank account or increased fees for certain services. Data controllers should not mix consent with contractual obligations or other lawful bases of processing data. Consent has to be specific because it aims to ensure a degree of user control and transparency.
It requires that data controllers inform data subjects about certain crucial elements to make a choice. The company needs to reveal their identity, provide the purpose of processing operations, and demonstrate how the consent procedure works.
Another critical piece of information that the company should provide to the data subject is what type of data will be collected and used and how the data subject can withdraw such consent.
It is not enough that the data subject has provided the company with the consent, but have they shown the data subject how they can withdraw consent? For example, a customer has allowed the company to send them marketing material via email. Still, they should also know how to unsubscribe from receiving such marketing material without any hassle. It is bad practice when companies make customers go through other hurdles to withdraw consent.
For consent to be valid, there needs to be an affirmative action that signifies agreement to the processing of personal data relating to him or her. For example, the customer swiping a bar on a screen or waiving in front of a camera, and it is clear it agrees to a specific request. Requests must remain unambiguous.
Other ways to collect consent could be through a telephone conversation and asking specific confirmation from the data subject whether their data can be shared or used for any other purpose. However, this might increase technical and administrative demands.
How will the conversation be stored to demonstrate compliance? Any organisation that collects consent via telephone must pay attention to the retention and safekeeping of such discussions.
There is no specific time limit for how long consent will last. However, data controllers must employ discretionary measures. For example, a company has been sending marketing materials to a customer. It is good practice to check quarterly if the data subject still wants to receive such materials. This method feeds into the transparency and fairness principle.