Consent plays a role in almost all modern privacy statutes. In some privacy statutes, like the GDPR, it can function as one of many lawful purposes to process data. In other privacy statutes, like the VCDPA and the CPA, it is mandated for certain types of data processing (e.g., sensitive category data processing). How consent is defined, however, differs between and among statutory and regulatory schemes. The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:
In addition to the general definition, some modern data privacy statutes include certain requirements or conditions for consent to be considered effective. The following provides a side-by-side comparison of statutorily enumerated requirements for effective consent:[9]
In addition, some modern privacy statutes include examples of activities that will not be considered sufficient to evidence consent (green check signifies a prohibition):
[1] Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).
[2] Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).
[3] Va. Code 59.1-571 (2021).
[4] GDPR, Art. 4(11).
[5] While the term is not defined within the CCPA, it should be noted that the statute uses the word “consent” in some parts (e.g., as part of opting-in to a financial incentive program), and in other sections uses consent-like concepts but with different terminology (e.g., intentional use or direction to share personal information with a third party)
[6] Cal. Civ. Code 1798.140(h) (West 2020).
[7] Va. Code 59.1-571 (2021).
[8] C.R.S. § 6-1-1303(5) (2021).
[9] Note that even if a statute does not contain a specific requirement for consent to be effective, it is possible that a court or supervisory authority could take the position that the requirement is implied by the statute.
[10] Va. Code 59.1-571 (2021).
[11] GDPR, Art. 7(1) (stating “controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data).
[12] GDPR, Art. 7(3) (stating “data subject shall have the right to withdraw his or her consent at any time”).
[13] While the CPRA does not confer a right to withdraw consent after it has been granted, note that the CPRA does provide rights to object to certain processing activities. Those objections, however, are independent of any consent-based processing that has occurred.
[14] Va. Code 59.1-571 (2021).
[15] GDPR, Art. 7(2) (stating that “request for consent shall be presented in a manner which is clearly distinguishable from the other matters”). See also EDPB, Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 (adopted 4 May 2020) at para. 13 finding that consent that is “bundled up as a non-negotiable part of terms and conditions is presume not to have been freely given.”
[16] Cal. Civ. Code § 1798.140(h) (West 2021).
[17] C.R.S. § 6-1-1303(5)(a) (2021).
[8] While not expressly prohibited by the statute, hovering over or closing a piece of content is unlikely to be viewed as sufficient consent by several European supervisory authorities.
[19] As noted above the CCPA does not define “consent.” It does, however, incorporate consent concepts in the definition of “sale” by stating that if a “consumer uses or directs the business to intentionally disclose personal information” such activity does not constitute a sale. In that context, the statute states that “hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.” Cal. Civ. Code §1798.140(t)(2)(A) (West 2020).
[20] Cal. Civ. Code § 1798.140(h) (West 2021).
[21] C.R.S. § 6-1-1303(5)(b) (2021).
[22] As noted above the CCPA does not define “consent.” It does, however, incorporate consent concepts in the definition of “sale” by stating that if a “consumer uses or directs the business to intentionally disclose personal information” such activity does not constitute a sale. In that context, the statute states that “hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.” Cal. Civ. Code §1798.140(t)(2)(A) (West 2020).
[23] Cal. Civ. Code § 1798.140(h) (West 2021).
[24] C.R.S. § 6-1-1303(5)(b) (2021).
[25] While not expressly prohibited by the statute, several supervisory authorities have issued guidance against dark patterns and / or nudging.
[26] Cal. Civ. Code § 1798.140(h) (West 2021).
[27] C.R.S. § 6-1-1303(5)(c) (2021). Dark patterns is defined as a “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” C.R.S. § 6-1-1303(9) (2021).
[28] GDPR, Art. 7(4). While conditioning access to a product or service on consent is not prohibited under the GDPR, it is identified as a factor to be evaluated when determining whether consent is “freely given.”