Not a bug Invalid consent - Registration form is not compliant with GDPR

[Muchacha]

The Registration form contains only one tick box for both the Data privacy policy and for the Terms &Rules.
According to UK law this constitutes invalid consent and is open to damage claims.

This needs to be resolved ideally as an update with separating the two consent boxed (for Terms and for Privacy) and by including the links to the actual Privacy policy and terms and ideally forced displaying those Policy and Terms.

The Information Commissioner Office (ICO) interprets the law for its application in UK. Their guidance is very clear:

What is valid consent?

ico.org.uk

"The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language.​

​

"The ‘explicit’ element of any consent should also be separate from any other consents you are seeking, in line with the guidance in Recital 43 on appropriate granular control​

​

"When is consent invalid?

In summary, you do not have valid consent if any of the following apply:​

• you have any doubts over whether someone has consented;
  • the individual doesn’t realise they have consented;
  • you don’t have clear records to demonstrate they consented;
  • there was no genuine free choice over whether to opt in;
  • the individual would be penalised for refusing consent;
  • there is a clear imbalance of power between you and the individual;
  • consent was a precondition of a service, but the processing is not necessary for that service;
  • the consent was bundled up with other terms and conditions;
  • the consent request was vague or unclear;
  • you use pre-ticked opt-in boxes or other methods of default consent;
  • your organisation was not specifically named;
  • you did not tell people about their right to withdraw consent;
  • people cannot easily withdraw consent; or
  • your purposes or activities have evolved beyond the original consent.

Please help us to resolve this.
Thank you

 

[Mike]

I have been doing research on this and while the quote you've shown is correct, I don't think it's actually applicable here. Consent is not really the correct basis for data processing here (legitimate interests likely is), at least for the direct stuff that is necessary for running/protecting a forum.

There are several places that say things like "If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis." Similarly, if they don't have the ability to withdraw consent (opt-out), then it's not really valid consent.

The consent option for processing is really designed for optional things. The perfect example there would be marketing emails. You can't say "I agree to the terms and conditions and to receive marketing emails" -- that would be consent bundled up with this.

(Just to clarify: I'm not a lawyer and it's always possible that your specific situation may be different.)

I'm going to leave this open for other feedback for now, but as is, I don't think this separation would do anything (and thus no changes are currently planned).

 

[Muchacha]

Thank you, you provided helpful additional perspective for us.

From your own analysis the consent with terms and privacy policy is not entirely valid under certain circumstances, so maybe it is worth considering changing from "I agree" tick box to relying on deliberate conscious action like most other social media companies now:
"By registering you agree with our terms and conditions and privacy policy"




Mumsnet

Twitter

Facebook


Marks@Spenser