Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.

< BACK TO ALL STORIES

Data Privacy Alert: Norwegian DPA’s Interpretation of Consent Sets New International Standard

Created on October 28, 2022


Director of Marketing, Privacy

In 2021, the Norwegian data protection authority, Datatilyset, issued an $11.7 million fine against the gay social media application, Grindr, for violating users’ consent under GDPR. When viewed in concert with recent trends, it is apparent that Datailyset’s definition of consent—requiring it to be specific, informed, freely given, unambiguous, and granular—will require organizations to transform how they obtain and manage consumer consent.

Overview

Datatilyset issued an administrative fine of NOK 100,000,000 (approximately €10 million) for its failure to comply with GDPR rules on consent. They found that Grindr shared user data to a number of third parties without legal basis for marketing purposes, including GPS location, user profile data, and the fact that the user in question is on Grindr. While Grind had obtained some user consent, the DPA found that it failed to meet several of the criteria GDPR requires for valid consent.

Download the Data Privacy Alert Now!

Datatilyset’s decision clarifies key elements of the standard for consent set by GDPR—and potentially applicable in other jurisdictions as well.

  • Freely given: Separate, non-bundled consent for each purpose is required, and organizations cannot make consent a pre-condition to delivering services. Sharing personal data with advertising partners requires separate consent, as it is not necessary for providing the main services.
  • Specific: The consent needs to be granular for each purpose. Accepting an entire privacy notice is not compliant.
  • Informed: The information explaining the choice needs to be clear, so users understand the consequences of their choice. When asking for consent for multiple purposes, each one must be distinct.
  • Unambiguous: It must be obvious that consent was given. Clicking “I accept the Privacy Policy” is not enough.

GDPR’s approach to consent is often simplified as “opt-in,” meaning that subjects must choose to allow processing before it can begin. “Opt-out” approaches, prevalent in other regulations, allow processing of personal data until the subject decides to stop it by opting out.

Who It Applies To

While the fine was levied against Grindr, and the DPA’s interpretation of consent applies in Norway and more broadly under GDPR, there is little doubt that the standard of consumer consent is changing, and the ramifications of the decision may be much farther reaching.

Several US states with comprehensive privacy laws, including Virginia, California, and Colorado, use a definition for consent that has been lifted verbatim from Article 7 of the GDPR and requires the consent be a “freely given, specific, informed, and unambiguous indication of the consumer’s wishes.” Recent domestic interpretations of consent, such as that of the California attorney general in a $1.2 million settlement with Sephora, indicate that domestic companies may also be held to a similar standard.

Expert Analysis from Xavier Alabart, Founder, Principal Privacy Consultant, The Privacy Aces, GmbH

One of the most discussed topics when GDPR was introduced in 2016 was the new definition of consent. Article 7 and recitals 32, 42 and 43 are very clear and demanding regarding valid consent. It must be a clear, affirmative act, freely given, specific, informed, and unambiguous. Subjects must be able to withdraw consent, at any time, as easily as they gave it.

Affirmative action will always be needed to obtain valid consent: silence, pre-ticked boxes, passive dismissal, or inactivity are not valid consent. Consent can be hard to obtain, but we have known the requirements for six years. Some controllers still venture into uncharted territory by implementing “convenient” consent, but it is not compliant and exposes individuals to risk.

GDPR’s definition of consent also applies to obtaining consent for website cookies, as required by the ePrivacy directive 2002/58/EC (unfairly known as “cookie law”). Consent for cookies must also meet the criteria above, which explains the vast amount of enforcement action we are observing in this area.

Data Privacy Tip

Organizations must recognize that cookie banners and older forms of acquiring and managing consumer consent will no longer suffice; they must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic.