In September 2017, we responded to a consultation hosted by the Information Commissioner's Office (ICO) on General Data Protection Regulation (GDPR) Consent Guidance. Our response is in the form of a letter addressed to Joanne Crowley of the ICO as below.
You can find the published guidance on the ICO website.
Thankyou for providing us with the opportunity to comment on your draft GDPR consent guidance.
As your colleague Richard Marbrow has previously acknowledged, your draft was produced at a similar time to our sector guidance on Personal Information and Fundraising, on which the ICO kindly provided feedback. For the most part, we therefore feel the two documents closely follow a consistent line where GDPR is concerned and our comments are few in number. However, there are a few points we would like to raise on the existing draft.
Regarding our forthcoming Fundraising Preference Service, the guidance states that: “The Fundraising Regulator has set up the Fundraising Preference Service (FPS). The FPS operates as a sector-wide withdrawal of consent to charity fundraising. If an individual wishes to stop receiving marketing from charities, they can use the FPS to withdraw consent from all charities at once.”
As previously discussed with Richard, this paragraph requires urgent amendment on the following basis:
- The new service will not allow individuals to use the FPS to “withdraw consent from all charities at once”. It will allow individuals to withdraw consent from specific charities that they name. The guidance should be updated to reflect this.
We would also suggest the following additional changes are considered in any revision of the current draft:
- P3 (At a glance section): While we think this section is a useful summary of the guidance, we would suggest that the bullet points are prefaced by an initial introductory point that emphasises consent in context as one of several conditions that may be applicable to show lawful processing: eg. “Consent is one of the key conditions that may be used to show your approach to processing an individual’s data is lawful.”
- We note that the guidance emphasises that consent requires a “positive opt-in”, and that “there is no such thing as opt-out consent”. However, the ICO’s pre-GDPR Direct Marketing guidance from May 2016 talked about a “positive action” and explicitly provided some limited examples of where “opt out” consent could potentially be legitimate under pre-GDPR regulations. While we appreciate and support the need for stronger wording in the new guidance under the stricter GDPR, we would advocate that a statement is provided acknowledging a change in language used and contextualising this, to avoid the risk of being seen to contradict previous guidance. This could be as simple as adding that “there is no such thing as opt-out consent under GDPR”.
- We welcome the recognition in the guidance that consent may be difficult to gain and that there may be circumstances where other conditions may be more appropriate. While we advocate consent as the safest way of ensuring the individual’s wishes are respected, it is important that organisations can understand and consider the full range of processing conditions and which of these may be relevant in the context of their work.
- Where the guidance talks about “customers” we would advocate that this is amended to say “customers/supporters”, to adequately reflect a fundraising context alongside commercial relationships.
- Where you mention legitimate interests as an alternative to consent, you say this may be used “if you are a private sector organisation”. Our understanding is that this condition may also be used by non-private sector organisations such as charities, where they can meet this condition. This section should therefore be amended to avoid implying that private sector organisations are the only organisations that may use the legitimate interests condition.
- The section “How long does consent last” says that GDPR does not specify a time limit for consent and that the individual’s expectations should be considered in making a decision on this. However, we understand that GDPR enhances DPA, which specifies that consent does not last forever. We would suggest that this DPA point is reemphasised here to avoid any implication that consent may continue indefinitely, or that the individual might expect consent to last indefinitely.
We hope that the above points are helpful to you and we hope to continue to develop a constructive relationship with you as GDPR is introduced to ensure fundraisers are adequately prepared for these important changes.
Stephen Dunmore Chief Executive, Fundraising Regulator