top of page

User Consent in GDPR and CCPA

Updated: May 29


Consent is a crucial part of any data privacy legislation. This factor came into prominence after the onset of GDPR.

The GDPR refers the following conditions for a valid consent:

  • Consent needs to be freely given.

  • Consent needs to be specific, per purpose.

  • Consent needs to be informed.

  • Consent needs to be an unambiguous indication.

  • Consent is an act: it needs to be given by a statement or by a clear act.

  • Consent needs to be distinguishable from other matters.

  • The request for consent needs to be in clear and plain language, intelligible and easily accessible

The CCPA doesn’t require active, advance consent. You can collect and use the data right away without any confirmation from the person. However, they do have the right to demand you to stop using the data in certain ways and you must follow this demand. General Data Protection Regulation (GDPR)

The GDPR is the EU’s new legal framework for privacy and personal data protection. It catches up with the digital reality, adapts to a global data world, creates a common framework for all organizations and essentially puts back the control over personal data in the hands of people.

GDPR Article 7 sums up the essential conditions regarding consent (to be valid):

  • Consent needs to be freely given.

  • Consent needs to be specific, per purpose.

  • Consent needs to be informed.

  • Consent needs to be an unambiguous indication.

  • Consent is an act: it needs to be given by a statement or by a clear act.

  • Consent needs to be distinguishable from other matters.

  • The request for consent needs to be in clear and plain language, intelligible and easily accessible

Freely Given Consent

The element of detriment first needs to be seen in the context of GDPR Recital 42, which doesn’t only mention the duty of the controller to be able to demonstrate that consent has been given (one of those additional duties if consent is the chosen legal basis for data processing) but, among others, also states at the end that “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.

In other words: as is stipulated in the first paragraph of GDPR Article 7 on the conditions for consent, it is up to the controller to demonstrate that the data subjected has consented AND, on top of that, not allowing refusal or withdrawal of consent means no freely given consent.

The WP29 guidelines also mention deception, intimidation, coercion or significant negative consequences as examples of detriment.

Valid consent

On top of being legitimate the purpose of processing needs to be specific. This certainly touches upon elements we mentioned in the scope of freely given consent. Just think about the notion of granularity and how, if the processing purpose is not specific enough, the data subject can consent to purposes he or she might not have consented to if the purpose(s) were specific.

GDPR Article 6 on the lawfulness of processing personal data emphasizes the fact that processing can only be lawful, in case consent is chosen as a lawful basis, if the consent relates to one or more specific purposes.

This also means that, when various data processing operations serve the exact same purpose consent may be given to these various operations the WP29 emphasizes, referring to Article 5 which also states that personal data have to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes and to GDPR Recital 32 which is even clearer about this: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”.

There are two exceptions with regards to purpose limitation: 1) in the scope of where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent (GDPR Article 6, paragraph 4) which doesn’t matter in the context of our article as we’re covering consent and 2) in the scope of personal data processing for archiving, scientific, historical or statistical purposes (GDPR Article 89). We cover these separately in our article on the principles regarding the processing of personal data.

Informed Consent

If consent needs to be freely given, relating to a specific purpose and in line with all the other elements of consent, then it’s relatively easy to see that the data subject must be informed in a clear and transparent way before consenting to anything at all.

GDPR Recital 42 points to the requirement for the data controller to demonstrate that the data subject has given consent. Moreover, safeguards must ensure that the data subject is clearly aware of the fact that consent is given and to what extent it is given. This is particularly mentioned in the ‘context of a written declaration on another matter’ as is also stated in GDPR Article 7.

However, the fact that the declaration of consent should be pre-formulated by the data controller in an intelligible and easily accessible form, using clear and plain language (and that it should not contain unfair terms) is recognized as a controller duty. And that comes with specific information requirements that at the very least should be present and should be communicated.

This information must be provided when the personal data are obtained and should, among others, at least mention:

  • Identity and contact details of controller or controller representative.

  • When applicable, contact details of the DPO (Data Protection Officer).

  • Legal basis for processing AND PURPOSES of processing.

  • Recipients or types of recipients of the personal data.

  • Duration of storage of personal data or how that duration is determined.

  • Notification regarding the right to access, rectification, erasure, restriction of processing, objection to processing and data portability.

  • IF consent is the legal ground the fact that there is a right to withdraw it at any time, including the fact that when there is a withdrawal of consent this doesn’t impact the lawfulness of processing prior to it.

  • The right to lodge a complaint.

  • And more, which you can check out in that GDPR Article 13.

California Consumer Privacy Act (CCPA)

The CCPA is a state consumer privacy law which is very similar to that of GDPR but has lot of operational dissimilarities with GDPR.

The CCPA doesn’t require active, advance consent. You can collect and use the data right away without any confirmation from the person. However, they do have the right to demand you to stop using the data in certain ways and you must follow this demand.

The Sale of a Minor’s Private Data

A business cannot knowingly sell the private information of anyone under the age of 16. The only exception to this rule is if the minor (between the ages of 13 and 16) or the minor’s parent (if the minor is below the age of 13) has “affirmatively authorized the sale” of personal information.

Re-soliciting the Ability to Sell

If anyone decides they don’t want to allow a business to sell their private data, they expressly “opt-out” (as opposed to “opting-in”) through a button or link that gives them the option to do so. In that case, a company is prohibited from soliciting that individual’s consent (through an opt-in, etc.) for “at least 12 months.”

Exemption from the Definition of “Sale”

If a consumer opts-in, or gives their consent, then information transfers aren’t considered “sales” under the CCPA. Simply put, while the CCPA doesn’t demand consent or an opt-in in most situations, it kind of provides an incentive for businesses to obtain it from consumers. That’s because when a consumer opts in, that individual has directed the business to “disclose personal information” to a third party:

(2) For purposes of this title, a business does not sell personal information when:

(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”

CCPA Opt-out requirements

While there isn’t any specific demand under the CCPA for a business to gain a specific opt-in before collecting or sharing data, it does require that companies provide consumers with the ability to opt-out.

To ensure compliance with the CCPA, you’ll need to “provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or ‘Do Not Sell My Info,’ on the business’ website or mobile application.”

If you don’t sell personal information at all, then you won’t need to provide consumers with an opt-out form. However, you’ll need to explain this in your Privacy Policy.

Opt-out forms should:

  • Let consumers know that they have a right to opt out of the sale of their private data.

  • Use language everyone can understand. Technical or legal terms should be avoided.

  • Let consumers know exactly how they can submit requests to opt out.

  • Be accessible to all consumers, and as much as possible to those with disabilities.

At one point, the CCPA had regulations stipulating that opt-out forms needed to include links to the company’s Privacy Policy, but this has since been removed.

20 views0 comments

Recent Posts

See All
bottom of page