Requirements for valid consent - Why opting-in should not be optional


The Düsseldorfer Kreis, a committee made up of representatives of German data protection authorities, recently published guidance on the requirements for obtaining valid consent to the collection, processing and use of personal data under the relevant German data protection provisions, the Federal Data Protection Act (Bundesdatenschutzgesetz) ("BDSG") and the Telemedia Act (Telemediengesetz).

The Düsseldorfer Kreis frequently publishes guidelines on topics of relevance for data privacy law which are broadly recognized as good practices (and from the supervisory authorities' viewpoint, mandatory interpretations of the applicable law). The German data protection authorities found the topic of consent to be particularly relevant, noting that while it is common for companies to rely on obtaining consent from their customers to justify the processing of personal data, in many cases these companies fail to implement compliant data privacy consent language into their business processes. To ensure that such data processing can be performed in compliance with data privacy law, the procedure of obtaining valid consent should be the focus of any company active in processing personal data.

The Düsseldorfer Kreis guidelines, which apply to both online and off-line data-processing consents, address the following issues:

  • Content of consent: A company must provide sufficient disclosures that clearly, transparently, and comprehensibly inform the individual about the nature of the consent and about the collection, processing and use of personal data relating to him or her. This shall include information about the consequences of a refusal of consent, the possibility to revoke consent, information about the data controller and processor and, where applicable, information about the transfer of personal data to third parties.
  • Explicit consent wording: The consent wording should explicitly clarify that the individual is actively giving consent and declaring an intention, rather than merely acknowledging something in passing, by using wording like: "I hereby consent to […]", "I hereby agree […]", "By signing this document you give consent to […]". In contrast, the statement, "I have read and agree with all data processing operations described in the Company's data privacy policy"" may not be sufficient to demonstrate active, explicit consent under the guidelines.
  • Conscious affirmative action: An individual's consent requires an action. A preselected box ("opt-out") for example does not constitute active consent since the individual is not required to act. Instead, the individual should be required to actively select a box ("opt in"), to demonstrate that the individual affirmatively took action and has been made aware of rendering a declaration. (Note that this view of the German supervisory group goes beyond of what is legally required for off-online consent forms. In its "Payback" decision, the German Federal Supreme Court (Bundesgerichtshof, "BGH") ruled in 2008 that the requirements for paper-based consent under the BDSG do not require an active "opt-in". According to this decision, a mere acknowledgement of a preselected consent box in a text conveyed on paper constitutes valid consent.).
  • Voluntary consent: Consent must be given voluntarily and by choice. Consent shall not be considered voluntary if the individual is unable to refuse or withdraw consent without detriment. Consent wording must state the option to not give consent and must also explain that the individual may revoke consent for further processing at any time in the future.
  • Informative, distinguishable headings: Where consent wording is included in longer text, the section regarding consent should be marked by an informative heading to make it clearly distinguishable from the rest. For example, a heading could read: "Declaration of consent regarding data processing" or "Consent declaration data protection/privacy".
  • Separation and allocation: Information about data processing and the consent wording should be easily separated from other information, even if such information relates to data privacy, so that the consent language is clearly distinguishable.
  • Typographical emphasis: Where consent wording is included in a longer text, it should be enhanced or highlighted typographically to stand out against the rest of the text to make it easily distinguishable, e.g. by using bold writing, larger font; frames or different color text.
  • Position in a declaration: In a longer text or declaration, even one concerning data privacy, the consent wording should be placed directly before the confirming signature field to clarify that the consent is necessary for the validity of the declaration. If there is no signature field and/or the consent is provided online, the consent language should be prominently placed, for example, at the top of a longer declaration.
  • Particular attention to special categories of data: When processing special categories of data, such as data about ethnic background, religious beliefs or health, the consent wording must clearly state the type of special categories of data to which the consent relates.

Consent by electronic means: When using electronic information and communication services, consent must be given consciously and explicitly. In addition, the individual must be able to review the consent wording at any time and be able to revoke such consent for future processing. Further, the grant of consent must be stored in a logfile so that the website operator is enabled to demonstrate the time when the consent was granted.

Under the EU General Data Protection Regulation ("GDPR"), which will go into effect in spring 2018 and will apply directly in all EU Member States, valid consent will remain one of the measures to justify processing of personal data. Though further guidance on the GDPR interpretation is still expected, the consent requirements of the GDPR are in essence similar to the ones foreseen by German law and addressed by the Düsseldorfer Kreis. Two years before the EU General Data Protection Regulation ("GDPR") comes into effect these recommendations of Düsseldorfer Kreis provide helpful guidance for companies working to bring their consent wording up to scratch.

Companies doing business in Germany should seize the opportunity to conduct an analysis of their data-processing activities, determine which activities require the individual's consent, and review the company's consent language and processes to ensure compliance with data privacy law, before the increased fines of the GDPR go into effect in 2018.