Relying on tentative consent

I filed this claim with the court but later withdrew the claim. I’ve withheld the details of the controller for this reason.

I received a direct marketing email from this controller out of the blue. In response to my enquiry, the controller’s Senior Legal Counsel who apparently specialised in the GDPR, informed me that they had obtained my consent to target me with direct marketing emails when I signed-up to marketing using a form on their website. I didn’t submit any forms on their website, so I argued that they had not obtained my consent.

In response, the controller’s Senior Legal Counsel demonstrated how they had obtained my consent. She said:

The form is blank requiring the customer to complete it with their personal data. It is also not a pre requisite that this personal data or consent is given prior to the customer being able to continue using [their website]. It is thus freely given,

The form uses clear, unambiguous language to inform a customer specifically how [the controller] intends to use their data. As per that sign up form, the customer is advised “Sign up to our emails [the rest of the consent statement has been withheld to protect the controller’s identity].” There are also clear links to our Privacy Policy and Cookies notices as well as the T&Cs which further explain the lawful bases [The controller] will rely on to further process that data.

[The controller] is also able to prove that permission was specifically given for the newsletter to be sent as the collection of the consent is active, not passive (ie no pre-ticked boxes or implied permission). It is made clear that by clicking the sign up box, the customer will have consented to receiving the emails.

Err… okay… I can see what she’s saying, but there’s a fundamental flaw with her argument; she cannot demonstrate that I visited the form, read the consent statement and having being clearly advised, submitted my own information into the form.

To clarify, consent that has not been validated remains tentative. Tentative consent poses a risk because, if challenged, a controller may be unable to comply with Article 7(1) GDPR:

‘Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’

To be fair, reliance on tentative consent is likely to be fairly widespread among controllers without it being an issue. This is because most of us will only ever submit our own information into web-forms. And if we have a legitimate reason to submit personal information about others, the form is likely to be so complex that the form itself acts as a validation mechanism. For example, adding a named driver to a multi-page form to obtain a quote for vehicle insurance.

The risk associated with obtaining tentative consent will likely depend on how much personal information is being collected by the form. The more complex the form, the harder it is for an unauthorised person to submit someone else’s information into the form. Forms that require us to enter a credit/debit card, a postal address or phone number, are likely to reduce the risk associated with obtaining tentative consent. 

In contrast, forms that only capture a small amount of information – a direct marketing email sign-up form for example, are likely to pose the greatest risk to the controller because it’s very easy for anyone to submit anyone’s information into these forms. If this were to happen, then the controller would have no defence, so controllers reasonably need to rely on the legitimate interests condition and validate the form with a double opt-in mechanism.

By using the legitimate interests condition, a controller can likely justify obtaining personal information via the form, for the purpose of validating it with a double opt-in. Thus, even personal information submitted by an unauthorised person can be lawfully obtained by the controller for the purpose of validating it. A double opt-in won’t work with consent by the way, because consent doesn’t give the controller the flexibility necessary to carry out the validation.

Getting back to the case… as far as I was concerned, I had a solid case to argue at the court hearing. Indeed, at the hearing, I was going to inform the judge that the Defendant is of the view that were I to submit the judge’s information into the Defendant’s form without their knowledge, that the Defendant would honestly believe that they had obtained the judge’s consent. That would have been interesting.

So, by now, I had submitted my Statement of Case, the controller had submitted their Defence, and I had discussed the case with three separate legal professionals – who all said that I was wrong.

Having reviewed their Defence, I submitted a Reply to Defence to question some of their arguments. One of the key points that I made in the Reply to Defence is this – I’m replying to Paragraph 9 of their Defence, and D is the Defendant. I’m the Claimant – C.

This is the key point of contention, so let’s break it down.

D has demonstrated that they understand the definition of consent – that to obtain consent, personal data has to be freely given, specific, informed and unambiguous.

However, consent isn’t something that just happens when someone submits a form. The web-form itself plays a major part in the consent process. For example, it’s the web-form that informs the individual about how their consent will be used to carry out a specific data processing activity. It’s the web-form that will also contain any opt-outs that may be necessary to ensure that consent is freely given or unambiguous.

Article 7(1) GDPR states:

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The question is… can D demonstrate that the data subject (C) consented to the processing of his personal data by D, by visiting and submitting their web-form?

It’s only by proving that C submitted his own information into their web-form that D will be able to demonstrate that:

  • C freely gave his consent by entering his personal data into their form;
  • C gave his consent for a specific data processing purpose – having visited their web-form;
  • C was informed that that he was giving his consent for this particular data processing purpose – having visited their web-form;
  • C was given a genuine choice not to consent (unambiguous)– having visited their web-form.

D has since clarified in response to a Subject Access Request, that they do not capture IP address information. They’ve also confirmed in their defence that they do not recognise the need for a double opt-in, so they clearly have no mechanism to determine who submitted the form.

D is unable to prove that they obtained C’s consent because D operates a “fingers-crossed” approach to data processing. An approach that simply assumes that individuals will only enter their own information into their public-facing web-from. It is to be hoped that D’s naivety is not translated into aspects of their data security.

A day or so later, their lawyer contacted me:

I’m confirming receipt of your Reply to Defence. We are in the process of reviewing so we can respond as required and permitted by the court.

We have tried via extensive correspondence with you to avoid this claim being heard, but given our respective positions we are regrettably not in a position to make a financial settlement in respect of this claim. However, in order to avoid us both having to appear at a hearing, we would be open to meeting with you to discuss your concerns so that we can both clarify our approach in person. We would very much prefer that you do not have a negative experience of [The controller] so we’d be very pleased to welcome you into one of our stores for a tailored experience that reflects the focus we place on our customers. Please let me know if this is something that we can discuss with a view to settling this before the hearing.

Here’s what I believed happened… I think they read my Reply to Defence and shat themselves, because it dawned on them that not only did they have no chance of winning in court, but they faced utter humiliation because three separate legal professionals had got it so utterly wrong. So, they invited me to a meeting to discuss the case and endeavour to agree on an out of court settlement.

At the end of the day, anyone who understands data protection law will know that they had no case, because they couldn’t prove anything. But I was touched by this response, and their attempt to try and resolve the issue, so I told them that I was going to drop the case. I took a hit on the court fees but it isn’t much. They’d clearly made a mistake and I didn’t want to take their money for that.

Make no mistake though, if you’re a controller and you’re failing to validate your marketing sign-up forms, then you have no defence to a claim for compensation. You won’t obtain consent and you won’t balance the legitimate interests condition either, because you’d have to demonstrate that you needed to process the data subject’s personal data for your legitimate interest and you won’t do that unless you can prove that they submitted the form. And of course, you cannot rely on the fulfilment of a contract unless you can prove that the data subject was a party to the contract.