This article explores the use of consent to store information or access to storage of information on an end user’s terminal equipment.

However, keep in mind that the last amendments to the ePrivacy Directive analyses other grounds for data processing, other than consent.

Useful? Embed this infographic on your website.

<a href="https://www.lawinfographic.com/consent-for-tracking-purposes_by_jessica_lam/" target="_blank"><img src="https://www.lawinfographic.com/wp-content/uploads/2018/05/consent-for-tracking-purposes-700x620.png" width="1122" height="994"/></a><br/><span style="font-size: 12px;"><a href="https://www.lawinfographic.com/consent-for-tracking-purposes_by_jessica_lam/">Read full article</a> (via <a href="https://www.lawinfographic.com/">www.lawinfographic.com</a>).</span>

WHAT IS CONSENT?

Consent is a legal base by which a person can agree with the processing of his/her personal data.

Consent should have the same meaning as the data subject’s consent as defined and specified in Directive 95/46/EC, which will be replaced by the General Data Protection Regulation (GDPR) on the 25 of May 2018.  

GDPR REQUIREMENTS FOR CONSENT  

In accordance with the GDPR, consent should:

• Freely given; consent is not freely given when the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment;
• Specific; the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data;
• Informed; the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended; and,
• Given by a clear affirmative action, that indicates its agreement with the processing by a written statement, including by electronic means or an oral statement.

HOW TO OBTAIN A CLEAR AFFIRMATIVE ACTION?

In line with Recital 32 GDPR, the clear affirmative action could be provided:  

• ticking a box on a website; or
• choosing technical settings for information society services; or
• another statement or conduct clearly indicating the agreement for the processing of his/her personal data.

It is also noted that can NOT be provided by:

• Silence; or
• Pre-ticked boxes; or
• inactivity

In order to shed more light, Recital 23 and Article 10 of the ePrivacy Regulation Draft Proposal states the following:

• Offer a set of privacy options. The options should be offered in easy and concise format and should include at least: a) never accept cookies; b) reject third-party cookies or only accept cookies; and, c) always accept cookies.
• Link each option to the appropriate section of the privacy policy, where it is explained in detail each option and provides further details regarding what data is being collected, why is collected, how long will it be kept in line with the Principles of Processing as well as the Data Subject’s rights.
• The data subject must select one option in order to continue with the use of the website. Provision of a clear affirmative action to consent a setting.
• Present an easy way to change the privacy setting consented at any time during the use.
• Under the consolidated version of the European Council (December 2017), after 12 months, a reminder should be set providing the possibility to the user to withdraw their consent – as far as the processing continues. Except if the user requested not to receive such reminders.
• Use and easy to understand, concise and specific language.

LEGAL USE OF COOKIES OR SIMILAR TECHNOLOGIES WITHOUT CONSENT – Exemption under the current ePrivacy Directive

Some cookies are exempted from consent in line with Article 5(3) of the current ePrivacy Directive:

• Cookies used for the sole purpose of carrying out the transmission of a communication; and,
• Cookies necessary for the provider of an information society service to provide with the service requested by the user.

For instance:

• user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases.
• authentication cookies, to identify the user once he has logged in, for the duration of a session.
• user‑centric security cookies used to detect authentication abuses, for a limited persistent duration.

IMPORTANT NOTES:

• Check if the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.
• In case of using cookies for different purposes, you will require consent for each purpose.
• Provide with an easy manner to withdraw consent at any time. Check with your IT department for the necessary update of the system.

KEY POINTS:

• Evaluate if the use of cookies or similar technologies is essential for the functionality (“Cookie Audit”) or if you could use alternative technologies. If it is the case, analyse the potential risk of the use of those cookies and resolve if consent is necessary or not.
• Special attention should be given to the consent to use third‑party session and persistent cookies, the data collected may be transferred beyond the EU’s legal jurisdiction (EU, EEA* and Convention 108).
• Adjust your Privacy Policy in line with the law.
• Above all, ensure the choice of the user is respected. Do not store cookies or similar technologies without the consent of the users.
• This also affects mobile applications which store information on smart devices and some can even access data on the device.
• The GDPR is relevant for all the EEA members.