[caffeine5150]

Both in how companies are complying and in the public discourse, I’m seeing a jumbling of ‘consent’ and ‘notice’ that doesn’t align with my understanding of the intent and reading of the law. Under the transparency principle (Art. 5) and disclosure obligations (Arts 13 and 14), there are a variety of things that must be disclosed to a data subject at time of collection. See https://gdpr-info.eu/ for easy access to the law’s text. That’s what privacy polices (increasingly called privacy notices) are generally used for. Many companies are trying to either make you click something to prove they’ve notified you or add language to the notices saying “by using this site, you consent to this privacy policy”, which is a form of ‘consent’ they are deciding to collect themselves. Separately, a controller is supposed to have a legal basis for processing personal data (Art. 6). Consent of the data subject is only one of six legal bases. Legitimate interests of the controller is the other common basis for a business and is expected to be relied up on increasingly since the GDPR makes collecting valid consent harder and it has the downside that it must be tracked and can be withdrawn (which also must be tracked). Consent as a basis is not allowed to be buried in a privacy policy. It must be called out separately with a separate consent for each purpose the data will be used for on an opt-in basis. The policies and these consents all are supposed to be presented in as simple and plain English as possible and it’s encouraged to use layered notices/policies to convey quick summaries with an ability to drill down. To add to the complexity, email marketing is governed by the ePrivacy Directive (responsible for the cookie banners) and requires consent. Each country has its own enactment of ePrivacy so compliance is very complex. Also, under the GDPR, a data subject has an absolute right to object to direct marketing regardless of the basis being relied upon. Much of this flurry of email privacy policy updates and/or consents to marketing are conflating ePrivacy and the GDPR. What I see right now is a bit of a mess as companies try to figure out what compliance looks like and balance full disclosure (transparency) with simple, easy, plain English disclosure.