For United States companies that do business in the European Union, it may seem counterintuitive that of the six possible legal justifications for processing personal data under the General Data Protection Regulation (GDPR), consent is the last justification a EU company wants to rely on. But unlike the U.S. practice of passive notice and consent, GDPR sets a much higher standard for valid consent that makes obtaining and maintaining it from its users more difficult than the U.S. legal framework.

GDPR, which is based on a fundamental right of fairness in data processing, requires much more than a U.S. approach to data privacy based on principles of consumer protection and full disclosure. This distinction is clearest when looking at GDPR's requirements when companies wish to process personal data on the basis of the user's consent. Article 7 of GDPR sets out specific conditions for consent, and GDPR's explanatory recitals imply even more requirements. The European Data Protection Board (EDPB), formerly known as the Article 29 Working Party, expounded upon the GDPR's explanations. These sources tell us that for consent to be considered valid under GDPR it must be freely given, specific, unambiguous, and informed.

U.S. audiences often struggle to understand what it means for that consent to be “freely given” under GDPR because that term has a much narrower meaning in the European Union. For consent to be freely given, a refusal or withdrawal of that consent cannot result in detriment to the individual, or at least a detriment not directly related to the purpose of data processing requested. In settings where there is an imbalance of power, such as where an employee may feel pressured to comply with an employer's request, consent will rarely, if ever, be considered freely given.

The EDPB also explains that conditioning the use of a service on consent to process personal data will almost never be considered proper consent. This principle is the main thrust of complaints already filed in the EU against Google, Facebook, Instagram and WhatsApp. In its complaints, the non-profit group noyb argues that consent cannot be freely given where access to the service depends upon that consent. While the data protection authorities have yet to respond to noyb's filings, there is at least some support for its position in GDPR's text and the EDPB's guidance.

Another difference between U.S. consent and GDPR consent is that it must be specific to the purposes of processing. Unlike the blanket language for consent found in a number of U.S. privacy policies, GDPR requires a company to obtain consent each purpose of processing. For example, if a company wants to send marketing emails to its customers and also share that email address with its business partners so they can send its customers advertising emails, it must obtain separate consents. A user could choose to hear more about other services that the business provides, but may not agree to have their email shared with other businesses, or vice versa, or both, or neither. The bundling of the consent requests together would likely be invalid under GDPR.

The standard consent language in many U.S. privacy policies also presents a different GDPR issue. Under GDPR, consent must be an unambiguous indication that a user has consented to the use of their personal data. The EDPB's guidance makes clear that a passive activity, such as a pre-checked consent box, or an ambiguous activity, such as browsing a webpage or reading a privacy policy, does not demonstrate a user's consent.

Unambiguous consent doesn't necessarily required a signed document for each purpose of data processing. The EDPB explains that a signed document would not be necessary or practicable in most cases. However, users have to clearly demonstrate their consent to have their personal data used in some concrete way. For example, a user subscribing to an email list about new offers by typing in an email address and clicking a “subscribe” button is clear because the user took an affirmative action. It is also unambiguous because the only reason to enter their email address is to subscribe to the company mailing list. As long as the users' email addresses are only used to send them emails from the mailing list, and the company properly records that the user subscribed in this way, this would likely be viewed as valid consent under GDPR.

Of course, consent only has meaning if the user knows what they consented to. GDPR requires that a business must provide the user details about the nature and scope of the requested consent for it to be valid: who is seeking the consent; what the purpose for processing the data, the types of personal data that will be used, the user's right to withdraw consent, among other things. While a link to a privacy notice can achieve this goal, it is important that the information be provided, or at least made accessible, before the user gives their consent.

Batya Forsyth, CIPP/US, is a partner at Hanson Bridgett in San Francisco. She is also the chair of the firm's Litigation Section and co-chair of the Privacy, Data Security and Information Governance Group. Batya counsels clients regarding privacy policies, compliance issues, data breach response and related insurance coverage issues, across multiple industries and jurisdictions. Everett Monroe is an attorney at Hanson Bridgett in San Francisco. He focuses on data privacy and intellectual property disputes and counseling, two areas in which his technical background as an electrical engineer join with legal experience to service clients in a range of complex matters.