Consent receipt: A tool for transparency and proactive accountability

The consent is only one of the six lawful bases on which controllers can process personal data. However, for this to be valid, a series of requirements must be met and, in addition, controllers must be able to prove that the interested party consented to the processing of personal data.

Consent must be “freely given, specific, informed and unambiguous”, as set forth in Guidelines on consent according to Regulation 2016/679. In addition, control over it must be offered to the interested party, and this party must be offered the possibility of accepting or rejecting the terms and conditions under which it is provided. The data subject must know a minimum amount of information, prior to the provision of consent, which is key to make a valid and clearly informed decision. This information is established in Article 13 of the GDPR, which includes the identity of the controller, the purpose of each procedure operation authorised, the type of data to be collected and subsequently used, if decisions based solely on the automated processing of data are to be taken or not, possible risks if international transfers occur and the existence of the right to withdraw the consent and the proceeding to do so.

This information is often “hidden” in long privacy policies related to the application or service provided and that, this being accumulated over time and linked to different processing of different controllers, lead the interested party to losing of control on the data, on who has them and on the purpose, the aforementioned right becoming limited.

On the other hand, according to article 7 of the Regulation, when the processing is carried out under the consent, it must be verifiable and the controller must prove that the interested party provided it on a valid basis. The GDPR does not establish a specific procedure on how the controller should be able to prove that a valid consent has been obtained, being free to implement the way of obtaining and registering the consent that best suits the organisation's processes. However, at the less, it must be proof of who granted the consent, and when, how and for what it was granted, as well as the information that was provided at the time of obtaining it. This obligation remains as long as the processing of personal data continues under the initial conditions in which the data was collected, and must be verifiable in case of audit or inspection.

Hence, it becomes interesting the implementation of tools offering guarantees to the several parties involved in the consent process and allowing them to manage this with regard to the relevant processing of personal data.

In this regard, the Kantara initiative is a non-profit association that brings together several of the global companies that work to improve the reliable use of identity and personal data by means of innovation, standardisation and good practices in the field of digital identity management and data privacy. It is currently working on a project, called “Consent Receipt 1.0 (CR 1.0)” prepared in response to community comments interested in an consent receipt such as the one mentioned in Annex B of the ISO/IEC DIS 29184 development standard ISO/IEC DIS 29184 Information Technology - Online privacy notices and consent.

The purpose of this initiative is to develop a privacy standard that enables registering consent in a common, structured, open and interoperable format, based on the codes and good practices of the industry, which could be used to provide the interested party with a “receipt” of the procedures in the that consents and allows users to easily exercise their rights: track the consents given, know how the information was processed or know who to hold responsible in the event of a security breach. In this regard, the controller is helped to implement a genuine governance of consents obtained and guarantee their traceability throughout all the phases of the processing (collection, processing, withdrawal and communication to third parties).

Adopting an approach such as the one proposed would allow interested parties, on the one hand, to have a way to control and manage their consent before, during and after the processing by actually making them owners of their personal data, and the controllers, on the other hand, to promote transparency and have a processing for registering verifiable consents thus responding, in a practical way, to the “Control” and “Demonstrate” privacy strategies described in the Guide to Privacy by Design published in the AEPD (Spanish Data Protection Agency). Moreover, an interoperable registration of consents opens up the possibility of an agile and flexible interaction between controllers and processors if it is required to guarantee, within the framework of a processing order such as the acquisition of a database or the collection of personal data carried out by the processor on behalf of the controller, that all the requirements are fulfilled so that the processing, based on the consent, is lawful.