You have probably seen this pop-up message before when you were browsing on the internet: ‘By clicking here or by continuing on our website, you accept the terms in our privacy statement’. Usually, the acceptance of the terms in the privacy statement is a condition for making use of the website or a certain service.

There are at least two things that are wrong with this pop-up message. First, having data subjects agree to the processing of their personal data in such manner does not result in obtaining valid consent under the General Data Protection Regulation (GDPR). Second, a privacy statement does not require any acceptance by data subjects.

There seem to be misconceptions among some organisations regarding the purpose of a privacy statement. In this article, we will explain the purpose of a privacy statement and how this relates to obtaining consent.

The purpose of a privacy statement

The GDPR requires you as an organisation to be transparent about the processing of personal data. You therefore need to inform data subjects about the processing of their personal data. You must provide them with certain information such as the purposes for processing. The exact information that you need to provide depends on how you have acquired their personal data (articles 13 and 14 GDPR).

The purpose of a privacy statement is to fulfil your transparency obligations by telling the data subjects how you are processing their personal data. A privacy statement is nothing more than a description of your personal data processing activities in a language that is clear and understandable for the data subjects.

Having data subjects “agree” to your privacy statement does not mean that every personal data processing activity that you have described in there suddenly becomes lawful. You should first make sure that all your personal data processing activities are lawful (which might require obtaining consent). Once you have done that, you should describe the data processing activities in your privacy statement.

Obtaining consent

If you want to lawfully process personal data, you will need a legal basis for processing. One of the six (and perhaps the most important) legal basis for the processing of personal data is consent (article 6 par. 1 under a GDPR). According to the GDPR, consent must be freely given, specific, informed and unambiguous. If you rely on consent for the processing of personal data, you must be able to demonstrate that the data subject has provided his or her freely given, specific, informed and unambiguous consent.

Freely given

'Freely given' means that data subjects have a genuine choice when providing their consent. You should keep in mind that consenting to the processing of personal data cannot be a counter-performance of a contract. Consent cannot be freely given by data subjects if their consent is bundled up as a non-negotiable part of your terms and conditions. You must be able to demonstrate that data subjects are able to withdraw or refuse their consent without any detriment. Withdrawing consent must be just as easy as providing consent. If you require data subjects to “accept” the “terms” of your privacy statement as a condition for providing them your services or access to your website, you are not able to proof that they can refuse consent without detriment. Not being able to make use of your services or accessing your website clearly has a disadvantage for the data subject.

An example of consent that is not freely given is how the Dutch video-streaming service Videoland (which is owned by RTL) asks for consent for the processing of personal data consisting of monitoring behaviour on their platforms (at least at the time of writing this blog post). If you want to purchase a subscription to their platform, you will need to “agree” with their privacy statement. This privacy statement states that your behaviour on RTL websites may be monitored for targeted advertising purposes. As you are not able to purchase the Videoland service without consenting to the processing of your personal data, this cannot amount to a freely given consent.

Specific

Consent must be 'specific'. This means that you should clearly specify the purpose(s) for which the personal data is processed. You must make sure that data subjects can provide their consent for each individual purpose for processing if the consent relates to multiple purposes. This relates to the condition of 'freely given', as a take-it-or-leave-it choice, where you have to consent to everything or get nothing, is not a genuine choice and therefore not lawful. Furthermore, consent can only be specific if the consent-related information that you provide is clearly separated from information about other matters. 

Informed

You should also keep in mind that consent must be 'informed'. Informed means that data subjects can understand what they are agreeing to and what their rights are. You should at least provide information on:

• the controller’s identity;
• the purpose of each of the processing operations for which consent is sought;
• the type of personal data that will be collected and used;
• the existence of the right to withdraw consent;
• (if applicable) any information about the use of the personal data for automated decision-making, and;
• (if applicable) information on the transfer of personal data to a third country.

Although information on the processing of personal data must be provided to data subjects in the context of article 13 or 14 GDPR anyway, it is not advisable to refer to a privacy statement when obtaining informed consent. If you are reading a lengthy privacy statement that covers much more than processing based on consent, it might not be easy to understand to which categories of personal data or to which purposes the consent that is being asked relates. This is linked to the condition of 'specific', as consent-related information should be separated from information about other matters.

You should provide data subjects with "layered and granular information" at the moment of obtaining consent. That means that when obtaining consent, data subjects should first be provided clear and concise information that only relates to the processing based on consent. After the first layer of information has been provided, you can provide a link to the second layer of information which can be more extensive. This second layer can be your full privacy statement. In the above mentioned example of Videoland, the layering of information has been done correctly, although no information on the existence of the right to withdraw consent has been provided.

Unambiguous

Consent must be a clear affirmative act, otherwise it would not be 'unambiguous'. Obtaining consent by showing a message such as ‘By continuing on our website, you agree to our privacy statement’ can never result in valid consent, as continuing to browse on a website is not a clear affirmative act. It would also be difficult to provide the data subject with an option to withdraw his consent in a way that is just as easy as providing consent. How would a data subject be able to withdraw his consent in a way that is just as easy as continuing to browse on your website?

Conclusion

A privacy statement is a tool for providing information to data subjects, not for gathering information from them. You should not regard a privacy statement as some sort of contract with data subjects. Having data subjects “agree” to any “terms” in your privacy statement does not ensure that the described processing of personal data is actually lawful. Make sure that your processing activities are lawful, which could require obtaining valid consent. Once you have ensured that, you should describe this in your privacy statement as a way of fulfilling your transparency obligations.

Are you not sure if your data processing activities are lawful or how to describe them in a privacy statement? Make sure to contact us!