Consent is only one of the six legal grounds for processing personal data under the GDPR, but it is certainly the most well-known. While it might look safe and solid at first sight, it is becoming the weakest link of the GDPR compliance chain.
First, consent can be withdrawn at any time, and the process for withdrawal must be as easy as the process for providing consent. Thus, a system built only on consent can fall apart quite quickly.
More importantly, consent can be considered invalid at any time, in which case the breakdown is immediate.
One example of consent being invalidated is a Belgian retailer that required the use of a customer’s e-ID as a prerequisite for the issuance of a loyalty card. While the merchant claimed consent as legal ground, the DPA ruled that such consent could not be freely given and that it was therefore invalid.
A second example is the recent judgment of the Court of Justice of the European Union stating that a pre-ticked checkbox cannot be considered as an active, unambiguous consent of the user. The consent, which was required as an ePrivacy requirement for the use of tracking cookies, was therefore invalid.
The impact of such invalidation should not be underestimated, as it leaves you without a valid legal ground and, thus, no way to continue the processing of personal data. If you need the personal data for your core business processes, the operational consequences can be enormous.
So how can you fortify this weak link? Make sure that you can demonstrate that users have a real choice and are fully in control when providing consent. This is a crucial step both for the validity of the consent and the fairness of the processing.
Consent without such choice or control can never be solid, and you just can’t build a castle on quicksand and expect it not to sink.