Consent is as crucial as it is complicated. As one of the legal grounds for data processing, asking for consent is often an important part of personal data collection. While the GDPR clarifies a lot of the confusion and vagueness about the meaning of consent, there is still some confusion over one thing: Explicit consent. The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Delving deeper, according to various sections within the GDPR, there are two types of consent: Unambiguous consent (Article 4) and Explicit consent (Article 9.1). If the data is ordinary, non-sensitive personal data, “unambiguous” consent suffices. However, “explicit” consent is required if the data in question is sensitive data (data concerning physical or mental health data, racial or ethnic origin etc.) So, what exactly is the difference?
Explicit versus Unambiguous consent
The difference between “unambiguous consent” and “explicit consent” is not immediately a clear one. Since consent must always be informed, specific and communicated through affirmative action, it seems that any type of consent will require a data subject to be fully aware of what they are agreeing to and clearly indicate their agreement with this. Isn’t all consent that is unambiguous and informed automatically explicit? Not necessarily.
Let’s start with explicit consent. Explicit consent requires a subject to clearly and explicitly agree to their personal and (crucially) sensitive data being processed.
Under GDPR Article 9 explicit consent is required for the processing of certain “special” types of personal data. Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).
Explicit consent, then, consists of nothing less than presenting the data subject with an explicit statement regarding the specific personal data to be collected and an explicit action by the subject agreeing with this statement (such as ticking a box saying ‘I agree’). Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.
Unambiguous (implied) consent
Consent for regular, non-sensitive personal data doesn’t necessarily need to be explicit, but it does need to be unambiguous. We can call this unambiguous, implied consent. Unambiguous, implied consent is best explained through an example.
Say a person wants to answer an online competition. They enter several optional pieces of information, including their email address. Above the field it is stated that ‘we will use your email to keep you up to date on special offers’. By entering their email address after reading the notice, the subject consents to giving their information (that is, their email address) without ever explicitly stating ‘I consent’ or ‘I agree’. The affirmative action of entering their email is enough to constitute unambiguous consent, even though it is implicit and not said ‘out loud’.