On Monday, I posted, “Forcing Consent Is A Bad Idea.“1 The point was to say that, regardless of legal issues, there are very practical reasons in favor of setting a policy of not trying to force consent.
But, just because there are practical reasons for not forcing consent does not mean that there are no legal considerations to be made. Sometimes, laws even prohibit ill-advised decisions outright. And depending on the jurisdiction, those laws may apply to you.
For instance, the CRTC has stated concerning the collection of express consent under CASL that:
The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.2
Thus, the forced creation of an account to view a website cannot provide the basis for an extension of expressed consent as that would subsume the permission into the general terms or the conditions of use.
The violation under the GDPR is even more evident. According to Article 7(4) of the GDPR, “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”3 Further, Recital 42 says that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”4 Finally, Recital 43 states that “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”5
Thus, forcing consent would appear to be a GDPR violation in most instances. At the very least, a company would need to drop any reliance upon consent as their basis for controlling and processing data and find another basis.
But, even if these laws don’t apply to a given program, it’s still just a bad idea to do force consent. It’s asking for trouble in a number of ways, both reputationally and potentially legally.
Footnotes
- Mickey Chandler, Forcing Consent Is A Bad Idea, Spamtacular (Jan. 27, 2020), https://www.spamtacular.com/2020/01/27/forcing-consent-is-a-bad-idea/ (last visited Jan 30, 2020). ↩︎
- Canadian Radio-television and Telecommunications Commission (CRTC) Government of Canada, Guidelines on the Interpretation of the Electronic Commerce Protection Regulations (CRTC), (2012), https://crtc.gc.ca/eng/archive/2012/2012-548.htm (last visited Jan 30, 2020). ↩︎
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L. 119) 1, 37, https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng (last visited Jan 30, 2020). ↩︎
- Id. at 8. ↩︎
- Id. (emphasis added). ↩︎
