Consent and its meaning in EU GDPR, CCPA, CPRA and Draft India PDPB 2019

Consent & Its meaning in GDPR, CCPA, CPRA and India PDPB 2019The Article has been contributed by Mr Adhit Kulkarni, Final Year Student, D.E.S Law College, Pune with inputs from Data Secure.

 Part I

Consent is at the heart of modern privacy compliance across the globe where different countries have enacted the Privacy laws to protect the personal information of the citizens or the residents.  The modern data protection and privacy laws have ensured that they are enforced globally without fail while processing the personal data or personal information of the data subject or the data principal (as in Draft India PDPB 2019).

The ability to provide consent means that the individuals gain back the control of their privacy and can manage the usage of their personal information by the data controller or the data fiduciary or the data processor.

Key Elements of Consent

So how does a genuine consent look like and what are the key elements that should  make it a genuine consent.  As per our understanding and going through an extensive study of various global data protection and privacy laws, any genuine consent will contain the following key elements at the core:

  • Freely Given. It must be truly optional for the data subject.
  • Granular and Purpose Limitation. Separate consent should be obtained for separate purposes – separate from terms and conditions and specific to the purpose and methods of the organisation.
  • Unambiguous and Clear Affirmative Action. It must be clear from the language of the consent that the individuals intended to provide consent – a clear affirmative action mean a clear action to Opt-in.
  • Avoid use of Implicit Opt-in Option. The pre-ticked boxes should be avoided or relying on any other form of silence, inactivity or consent as the default to obtain implicit Opt-in.
  • Right to Revoke or Withdraw Consent. The individual must be informed that he/she can revoke or withdraw his/her consent in a very easy way without any detrimental effect on any of the service presently being provided by the data controller or data fiduciary or the data processor.
  • Sharing of information with 3rd Parties. Individuals expect that the personal information they provide to one organisation will not be shared with another without their knowledge and consent.  As such, disclosure to third  parties must be clearly explained,  including the type of information being shared.

We would like to evaluate the privacy laws like EU GDPR, CPRA, CCPA or Draft India PDPB 2019 on the above key elements that constitute the core of Consent in the global data protection and privacy laws.

EU GDPR effective 25th May 2018

Since it’s becoming effective from May 25th, 2018, the EU GDPR has become the gold standard of Privacy Laws across the world.  Many countries that have come up with Data Protection and Privacy Laws post 2018, have followed the EU GDPR very closely for drafting the respective privacy laws.  The EU GDPR relies heavily on Consent from Data Subjects as the foundation which lays down various data subjects rights to ensure that the Privacy Rights are fully respected and implemented.

The various Articles under which Consent is accorded are:

Article 7 : Conditions for consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 8: Conditions applicable to child’s consent in relation to information society services

 

  1. Where point (a) of Article 6(1) applies, in relation to the offer of Information Society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
    1. Member states may provide by a law for a lower age for those purposes provided that such lower age is not below 13 years.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general conduct contract law of member states such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 9:  Processing of special categories of personal data

  

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning unnatural persons sex life or sexual orientation shall be prohibited
  2. paragraph 1 shall not apply if one of the following applies:
  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and Social Security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to member state law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not for profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or two persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards refer to in paragraph 3;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy:
  • processing is necessary for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1) based on Union or Member State law which shall be proportionate to the aim pursuit, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
  1. Personal data refer to in paragraph 1 May be processed for the purposes refer to in point H of paragraph to when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under union or member state law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under union or member state law or rules established by national competent bodies.
  2. Member states maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

 The objective of sharing the Article 9: Processing of special categories of personal data,  is that many a times the processing of personal data of the data subject will happen as per the  above mentioned special categories, that may not require the consent of the data subject.  It means that EU GDPR does not emphasise “Consent”.  However, the GDPR emphasises protection of rights and freedom when the data of  living human being is involved.

For more on EU GDPR CL2016R0679EN0000020.0001.3bi_cp 1..1 (europa.eu)

 California Consumer Privacy Act (CCPA) effective 1st January, 2020

 The CCPA does not require an active, advance consent that a company obtain the consent (or the “opt- in”) of a person before collecting or using their personal information. One can collect and use the data right away without any confirmation from the individual.  The concept of consent only arises when within the CCPA if a company intends to sell the personal information.

In that context, consent applies in the following three situation:

  1. Exemption from the definition of “sale” the CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood. The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information to a 3rd party”. In other words if a consumer consents or opts-in to an information transfer it is not considered as a “sale” under the CCPA.
  2. Sale of information about minors The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer (in the case of individuals between 13 and 16) or the guardian (in the case of individuals under the age of 13) has “affirmatively authorised” the sale of personal information. In other words opt-in consent is needed to sell the information of a minor. Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph technically the information transfer might not be a “sale” at all.
  3. Re-soliciting the ability to sell. The CCPA states if a person opts out of the sale of information (e.g clicks a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or Opt-in) to a future sale for at least 12 months.

Despite being a confusion prevailing over the Consent in CCPA, the individuals do have the right to demand the businesses to stop using their data in a certain ways and the businesses must follow this demand.

Kindly read more at California Consumer Privacy Act (CCPA) | State of California – Department of Justice – Office of the Attorney General

 California Privacy Rights Act (CPRA) effective from January 1st, 2023

 The California Consumer Privacy Act (CCPA) came into effect January 1st, 2020 and is the state’s current privacy law . However, it is already due to be expanded and amended by the California Privacy Rights Act of 2020 (CPRA), approved by California voters through ballot initiative in November 2020. The CPRA a will come into effect as of January 1st, 2023. It does not replace the CCPA, but is rather an update and addition to it.

CPRA adjusts the criteria for applicability, adds a category for sensitive personal information, gives individuals new rights and also expands some of the CCPA rights.  It also creates a new private enforcement authority and adopts some principles from the EU GDPR.

Let’s explore various consent clauses and provisions in CPRA:

Section 14. Section 1798.140 of the Civil Code is amended to read:

1798.140 Definitions:

(h) “Consent” means any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Acceptance of general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

Section 4: General Duties of Businesses that Collect Personal Information

(a) A business that controls the collection of consumer’s personal information shall, at or before the point of collection, inform consumers as to:

(1) the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used shall be used and whether such information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice consistent with this section.

(2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing the consumer with notice consistent with this section.

(3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, If such business, acting as a third party, controls the collection of personal information about a consumer on its premises, Including in a vehicle, then the business shall, at or before the point of collection, Inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether such personal information is sold, In a clear and conspicuous manner at such location.

Section 8: Section 1798.115 of the Civil Code is amended to read:

1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom

1798.115.

(a) A consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

(1) The categories of personal information that the business collected about the consumer.

(2) The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third party parties to whom the personal information was sold or shared.

(3) The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

(b) A business that sells or shares personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

(c) A business that sells or shares consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:

(1) The category or categories of consumers’ personal information it has sold or shared, or if the business has not sold or shared consumers’ personal information, it shall disclose that fact.

(2) The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, It shall disclose that fact.

(d) A third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

SEC. 13. Section 1798.135 of the Civil Code is amended to read:

1798.135. Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information:

(a)A business that sells or shares consumer’s personal information or uses or discloses consumer’s sensitive personal information for purposes other than those authorised by subdivision (a) of section 1798.121 shall, in a form that is reasonably accessible to consumer’s;

  • provide a clear and conspicuous link on the business’s Internet homepage(s), titled “Do Not Sell or Share My Personal Information”, to an Internet web page that enables a consumer, or a person authorised by the consumer, to opt-out of the sale or sharing of the consumers personal information.
  • provide a clear and conspicuous link on the business’s Internet homepage(s), titled “Limit The Use Of My Sensitive Personal Information”, that enables a consumer, or a person authorised by the consumer, to limit the use or disclosure of the consumers sensitive personal information to those uses authorised by subdivision bracket a of section 1798.121
  • At the business’s discretion, utilise a single, clearly labelled link on the business’s Internet homepage(s), in lieu of complying with paragraph (1) and (2), if such link easily allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.
  • In the event that a Business responds to opt out request received pursuant to paragraph 1, 2 or 3 by informing the consumer of a charge for the use of any product or service, present the terms of any financial incentives offered pursuant to subdivision (b) of section 1798.125 for the retention, use, sale, or sharing of the consumer’s personal information.

 (b)(1): A business shall not be required to comply with subdivision (a) if the business allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185, to the business indicating the consumer’s intent to opt-out of the business’s sale or sharing of the consumer’s personal information or to limit the use or disclosure of the consumer’s sensitive personal information, or both.

(2): A business that allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a webpage that enables the consumer to consent to the business ignoring the apt-out preference signal with respect to that business’s sale or sharing of the consumer’s personal information or the use of the consumer’s sensitive personal information for additional purposes provided that: (A) the consent webpage also allows the consumer or a person authorized by the consumer to revoke such consent as easily as it is affirmatively provided; (B) the link to the webpage does not degrade the consumer’s experience on the webpage the consumer intends to visit and has a similar look, feel, and size relative to other links on the same webpage; and (C) the consent webpage complies with technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185.

 (c) A business that is subject to this Section shall:

(1)  Not require a consumer to create an account or provide additional information beyond what is necessary in order to direct the business not to sell or share the consumer’s personal information or to limit use or disclosure of the consumer’s sensitive personal information.

(2) Include a description of a consumer’s rights pursuant to Sections 1798.120 and 1798.121, along with a separate link to the “Do Not Sell or Share My Personal Information” internet webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” Internet webpage, if applicable, or a single link to both choices, or a statement that the business responds to and abides by opt-out preference signals sent by a platform, technology, or mechanism in accordance with subdivision (b), in:

(A) Its online privacy policy or policies if the business has an online privacy policy or policies.

(B) Any California-specific description of consumers’ privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.120, 1798.121, and this section and how to direct consumers to exercise their rights under those sections.

(4) For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, refrain from selling or sharing the consumer’s personal information or using or disclosing the consumer’s sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer’s personal information or the use and disclosure of the consumer’s sensitive personal information for additional purposes, or as authorized by regulations.

(5) For consumers under 16 years of age who do not consent to the sale or sharing of their personal information, refrain from selling or sharing the personal information of the consumer under 1. 6 years of age, and wait for at least 12 months before requesting the consumer’s consent again, or as authorized by regulations or until the consumer attains 16 years of age.

(6) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.

SEC. 21. Section 1798.185 of the Civil Code is amended to read:

1798.185.Regulations

 (19) (A) Issuing regulations to define the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer’s intent to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.

The requirements and specifications for the opt-out preference signal should be updated from time to time to reflect the means by which consumers interact with businesses, and should:

(i) ensure that the manufacturer of a platform or browser or device that sends the opt-out preference signal cannot unfairly disadvantage another business;

(ii) ensure that the opt-out preference signal is consumer friendly, clearly described, and easy to use by an average consumer, and does not require that the consumer provide additional information beyond what is necessary;

(iii) clearly represent a consumer’s intent and be free of defaults constraining or presupposing such intent;

(iv) ensure that the opt-out preference signal does not conflict with other commonly-used privacy settings or tools that consumers may employ;

(v) provide a mechanism for the consumer to selectively consent to a business’s sale of the consumer’s personal information, or the use or disclosure of the consumer’s sensitive personal information, without affecting their preferences with respect to other businesses or disabling the opt-out preference signal globally; and

(vi) state that in the case of a page or setting view which the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including;

(a) a global opt-out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information;

(b) a choice to “Limit The Use Of My Sensitive Personal Information”; and

(c) a choice titled “Do Not Sell/Do Not Share/Do Not Share My Personal Information for Cross-Context Behavioural Advertising.”

Kindly read more at The CPRA

 To be continued….Part II

 We at Data Secure(www.datasecure.ind.in)  can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy what you already know.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in.

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution

Leave a Reply

Your email address will not be published. Required fields are marked *