Requirements for valid consent - Why opting-in should not be optional

May.04.2016

The Düsseldorfer Kreis, a committee made up of representatives of German data protection authorities, recently published guidance on the requirements for obtaining valid consent to the collection, processing and use of personal data under the relevant German data protection provisions, the Federal Data Protection Act (Bundesdatenschutzgesetz) ("BDSG") and the Telemedia Act (Telemediengesetz).

The Düsseldorfer Kreis frequently publishes guidelines on topics of relevance for data privacy law which are broadly recognized as good practices (and from the supervisory authorities' viewpoint, mandatory interpretations of the applicable law). The German data protection authorities found the topic of consent to be particularly relevant, noting that while it is common for companies to rely on obtaining consent from their customers to justify the processing of personal data, in many cases these companies fail to implement compliant data privacy consent language into their business processes. To ensure that such data processing can be performed in compliance with data privacy law, the procedure of obtaining valid consent should be the focus of any company active in processing personal data.

The Düsseldorfer Kreis guidelines, which apply to both online and off-line data-processing consents, address the following issues:

Content of consent: A company must provide sufficient disclosures that clearly, transparently, and comprehensibly inform the individual about the nature of the consent and about the collection, processing and use of personal data relating to him or her. This shall include information about the consequences of a refusal of consent, the possibility to revoke consent, information about the data controller and processor and, where applicable, information about the transfer of personal data to third parties.
Explicit consent wording: The consent wording should explicitly clarify that the individual is actively giving consent and declaring an intention, rather than merely acknowledging something in passing, by using wording like: "I hereby consent to […]", "I hereby agree […]", "By signing this document you give consent to […]". In contrast, the statement, "I have read and agree with all data processing operations described in the Company's data privacy policy"" may not be sufficient to demonstrate active, explicit consent under the guidelines.
Conscious affirmative action: An individual's consent requires an action. A preselected box ("opt-out") for example does not constitute active consent since the individual is not required to act. Instead, the individual should be required to actively select a box ("opt in"), to demonstrate that the individual affirmatively took action and has been made aware of rendering a declaration. (Note that this view of the German supervisory group goes beyond of what is legally required for off-online consent forms. In its "Payback" decision, the German Federal Supreme Court (Bundesgerichtshof, "BGH") ruled in 2008 that the requirements for paper-based consent under the BDSG do not require an active "opt-in". According to this decision, a mere acknowledgement of a preselected consent box in a text conveyed on paper constitutes valid consent.).
Voluntary consent: Consent must be given voluntarily and by choice. Consent shall not be considered voluntary if the individual is unable to refuse or withdraw consent without detriment. Consent wording must state the option to not give consent and must also explain that the individual may revoke consent for further processing at any time in the future.
Informative, distinguishable headings: Where consent wording is included in longer text, the section regarding consent should be marked by an informative heading to make it clearly distinguishable from the rest. For example, a heading could read: "Declaration of consent regarding data processing" or "Consent declaration data protection/privacy".
Separation and allocation: Information about data processing and the consent wording should be easily separated from other information, even if such information relates to data privacy, so that the consent language is clearly distinguishable.
Typographical emphasis: Where consent wording is included in a longer text, it should be enhanced or highlighted typographically to stand out against the rest of the text to make it easily distinguishable, e.g. by using bold writing, larger font; frames or different color text.
Position in a declaration: In a longer text or declaration, even one concerning data privacy, the consent wording should be placed directly before the confirming signature field to clarify that the consent is necessary for the validity of the declaration. If there is no signature field and/or the consent is provided online, the consent language should be prominently placed, for example, at the top of a longer declaration.
Particular attention to special categories of data: When processing special categories of data, such as data about ethnic background, religious beliefs or health, the consent wording must clearly state the type of special categories of data to which the consent relates.

Consent by electronic means: When using electronic information and communication services, consent must be given consciously and explicitly. In addition, the individual must be able to review the consent wording at any time and be able to revoke such consent for future processing. Further, the grant of consent must be stored in a logfile so that the website operator is enabled to demonstrate the time when the consent was granted.

Under the EU General Data Protection Regulation ("GDPR"), which will go into effect in spring 2018 and will apply directly in all EU Member States, valid consent will remain one of the measures to justify processing of personal data. Though further guidance on the GDPR interpretation is still expected, the consent requirements of the GDPR are in essence similar to the ones foreseen by German law and addressed by the Düsseldorfer Kreis. Two years before the EU General Data Protection Regulation ("GDPR") comes into effect these recommendations of Düsseldorfer Kreis provide helpful guidance for companies working to bring their consent wording up to scratch.

Companies doing business in Germany should seize the opportunity to conduct an analysis of their data-processing activities, determine which activities require the individual's consent, and review the company's consent language and processes to ensure compliance with data privacy law, before the increased fines of the GDPR go into effect in 2018.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Related Areas

Markets

Germany