UK Privacy Regulator Publishes Draft Guidelines on 'consent' under the GDPR

The UK Information Commissioner (the British privacy regulator) has published a draft of proposed guidance on the notion of ‘consent’ under the General Data Protection Regulation (GDPR), set to take effect in May 2018. The draft guidance emphasizes that the GDPR establishes an elevated standard for consent. It requires offering individuals genuine choice and control over the collection and processing of their personal data.

The draft explains that genuine consent requires an affirmative opt-in mechanism rather than pre-ticked boxes or any other method of consent by default. The draft also clarifies that consent requests for the collection and use of personal data should be kept separate from other terms and conditions.

Under this new draft guidance, privacy policies need to be clear and concise, they should explain how individuals may withdraw their consent and should make it easy to do so in practice. Providers should also avoid making consent a precondition for obtaining a service. The draft goes on to explain that organizations are required to identify themselves, by name, when obtaining consent, and must also name all other parties who rely on the consent obtained by the original organization as the basis for their subsequent use of that data.

Other than the publication of the draft guidance, the UK information commissioner recently stated that in preparation for Brexit, the UK needs to secure a data protection adequacy finding from the European Commission. This is required in order to streamline the flow of personal data from the EU to the UK. On this same topic, the British Digital Minister has stated that in preparation for Brexit, the UK is expected to overhaul its current Data Protection Act so that it fully reflects the GDPR’s requirements.

CLICK HERE for UK ICO’s GDPR Consent Draft Guidance.