Even though consent is the first legal basis in GDPR’s list of legal bases it might not be the best, or even the better option, to apply to different processing activities. This post is an argumentative piece of why you should reconsider the use of consent and focus on the other lawful grounds in GDPR’s Article 6. Although I will argue against using consent, there are of course reasons and situations when it is more suitable or the only legal basis you can rely on, but for the fun of it, I will only highlight the cons.

Firstly, consent is intertwined with the question of if it is valid or invalid. As we know, the GDPR has a high bar for consent. It must be freely given, specific, informed, and unambiguous. And looking at recital 42 of the GDPR, it is the controller that should “demonstrate that the data subject has given consent to the processing operation”. That means that controllers relying on consent need to manage them in a compliant and provable manner.

Regarding the criterion of “freely given”, we know that consent isn’t suitable for circumstances with great power imbalances such as public authority and citizen, or employer and employee due to a lack of alternatives for the data subject and their dependency. As if that is not enough, the same goes if the performance of a contract “is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”, according to article 7.4. There is therefore a range of scenarios when it is presumed that consent can’t be freely given due to an imbalance of power and conditionality, which calls for careful interpretation of the GDPR to make sure the consent is valid. This is evidenced by the case with Facebook and Instragram when they relied on the contractual basis for processing personal data to create personalised ads for the users of their services.

Then before you start processing you should define the specific purposes for which you seek consent and inform the data subject about the consent’s scope. In the consent information, the controller must, inter alia, explain the “purpose of each of the processing operations for which consent is sought”. The consent must be specific in the sense that it ensures a degree of user control and transparency for the data subject. There are three parts to providing specific consent: Firstly, purpose specification as a safeguard against function creep. Secondly, granularity in consent requests. And lastly, a clear separation of information related to obtaining consent for processing activities from information about other matters.

The data subject therefore needs to jump through these hoops and unambiguously indicate in a statement or act of some sort that they agree with the processing, creating valid consent before the controller starts to collect personal data. Which inherently is an inconvenience. And after all of that, remember that the data subject can refuse to consent or withdraw their given consent at any time.

Secondly, if there are multiple applicable legal bases at the same time for the same processing activity, consent might not be the most suitable and appropriate. As it happens, by not using it, the controller could decrease their compliance burden and increase their control over the personal data. Say, you are a company that’s contracting with parties commercially; then there are various legal bases to choose from depending on the circumstances. For the part of processing that is necessary for contracting or performing according to article 6.1(b), documentation for bookkeeping could be a legal obligation under article 6.1(c), and other processing that is separate from contractual or legal necessity can use legitimate interest in article 6.1(f) provided that the balancing test results in a positive outcome. Here it is obvious that the controller doesn’t need to use consent since there are a plethora of bases to use in a more suitable and appropriate way.

Using more fit-for-purpose legal bases also creates somewhat of a processing resilience by diversification. Diversifying your legal bases away from consent could reduce the compliance burden a bit by not needing to give the data subject user control via purpose specification and consent granularity. In addition to that, the controller may be able to avoid the applicability of some data subject rights that otherwise would apply to parts of the processing, like the right to erasure and the right to data portability. That way, you can protect the processing operations from disturbances and interruptions. Of course, on the other hand, control gained by the controller is control lost for the data subjects.

Finally, no one knows for how long a consent is valid. The EDPB says that it depends on the context, the scope of the original consent and the expectations of the data subject. According to them, it is best practice to refresh consent from time to time. Meaning that this process starts all over again. So, there are uncertainties with consent deterioration as well as making sure it is valid.

Now you have three arguments for why not to use consent. However, I would like to point out that consent is required for placing non-essential cookies by the ePrivacy directive. Moreover, it is an open question on which legal basis is the most appropriate for the processing of the personal data collected through storing and accessing the information on their device. Because if the controller does that, they need to apply a legal basis from the GDPR as well as the consent required by the ePrivacy directive.

In conclusion, consent is one of the applicable legal bases in the GDPR, but it has some serious drawbacks in that it requires a lot from the controller who is responsible for demonstrating valid consents. I also argued that there is a point in diversifying away from consents to gain more control over the processing operations. But in all honesty, that isn’t really resonating with the principle of fairness, now would it? Then there is the question of how long does the consent last and how often would it need refreshing. Which, to my knowledge, nobody has a straight-to-the-point answer to. However, although everything I’ve argued in this piece, there are times when you can’t get around using consent since it would be the only appropriate legal basis. In the end, choosing the legal basis for processing is a delicate act which calls for careful consideration by the controller.

If you have an answer on the topic of consent deterioration, or any questions on this piece in general, feel free to shoot me an email at albin.thelin@nulldporganizer.com.