A data subject’s consent to processing of their personal data must be as easy to withdraw as to give consent. Consent must be “explicit” for sensitive data. The data controller is required to be able to demonstrate that consent was given. Existing consents may still work, but only provided they meet the new conditions.
There has been much debate around whether consent provides a valid legal ground for processing where there is a significant imbalance between the data subject and data controller. The GDPR states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract. This may affect some e-commerce services, among others.
In addition, Member States may provide more specific rules for use of consent in the employment context. The Recitals add that consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment. Where personal data is processed for direct marketing the data subject will have a right to object. This right will have to be explicitly brought to their attention. Another topic of huge debate relates to parental consent being required for children to receive information society services. The compromise (that Member States can lower the age from 16 to 13) will result in a lack of harmonisation and companies who operate across several Member States generally choosing to meet the highest standard.
The Recitals provide, however, that parental consent is not required in the context of preventative or counselling services offered directly to a child.
Also see a more indepth look at the changes to consent.