In September 2017, we responded to a consultation hosted by the Information Commissioner's Office (ICO) on General Data Protection Regulation (GDPR) consent guidance in the form of a letter. You can find the published consent guidance on the ICO website.
Our response
Your draft was produced at a similar time to our sector guidance on personal information and fundraising, on which the ICO kindly provided feedback. For the most part, we therefore feel the two documents closely follow a consistent line where GDPR is concerned, and our comments are few in number. However, there are a few points we would like to raise on the existing draft.
Fundraising Preference Service
Regarding our forthcoming Fundraising Preference Service, the guidance states that:
“The Fundraising Regulator has set up the Fundraising Preference Service (FPS). The FPS operates as a sector-wide withdrawal of consent to charity fundraising. If an individual wishes to stop receiving marketing from charities, they can use the FPS to withdraw consent from all charities at once.”
[As previously discussed] this paragraph requires urgent amendment on the following basis: the new service will not allow individuals to use the FPS to “withdraw consent from all charities at once”. It will allow individuals to withdraw consent from specific charities that they name. The guidance should be updated to reflect this.
Other points
We would also suggest the following additional changes are considered in any revision of the current draft:
Page three (at a glance section)
While we think this section is a useful summary of the guidance, we would suggest that the bullet points are prefaced by an initial introductory point that emphasises consent in context as one of several conditions that may be applicable to show lawful processing: e.g., “Consent is one of the key conditions that may be used to show your approach to processing an individual’s data is lawful.”
We note that the guidance emphasises that consent requires a “positive opt-in”, and that “there is no such thing as opt-out consent”. However, the ICO’s pre-GDPR direct marketing guidance from May 2016 talked about a “positive action” and explicitly provided some limited examples of where “opt-out” consent could potentially be legitimate under pre-GDPR regulations.
While we appreciate and support the need for stronger wording in the new guidance under the stricter GDPR, we would advocate that a statement is provided acknowledging a change in language used and contextualising this, to avoid the risk of being seen to contradict previous guidance. This could be as simple as adding that “there is no such thing as opt-out consent under GDPR”.
We welcome the recognition in the guidance that consent may be difficult to gain and that there may be circumstances where other conditions may be more appropriate. While we advocate consent as the safest way of ensuring the individual’s wishes are respected, it is important that organisations can understand and consider the full range of processing conditions and which of these may be relevant in the context of their work.
Where the guidance talks about “customers” we would advocate that this is amended to say “customers/supporters”, to adequately reflect a fundraising context alongside commercial relationships.
Where you mention legitimate interests as an alternative to consent, you say this may be used “if you are a private sector organisation”.
Our understanding is that this condition may also be used by non-private sector organisations such as charities, where they can meet this condition. This section should therefore be amended to avoid implying that private sector organisations are the only organisations that may use the legitimate interests condition.
The section “How long does consent last” says that GDPR does not specify a time limit for consent and that the individual’s expectations should be considered in making a decision on this. However, we understand that GDPR enhances the Data Protection Act (DPA), which specifies that consent does not last forever. We would suggest that this DPA point is reemphasised here to avoid any implication that consent may continue indefinitely, or that the individual might expect consent to last indefinitely.