Consent provided in contractual pre-ticked boxes is invalid. On 11th November 2020, the European Union Court of Justice (CJEU) published its judgment on Orange Romania’s case versus Romania’s National Supervisory Authority for Personal Data (ANSPDCP). What does that mean for companies concluding contracts with customers to obtain consent?
The case Orange Romania vs ANSPDCP
The case concerned the telecommunications service provider Orange Romania, which received a fine in March 2018 by the Romanian supervisory authority ANSPDCP for “collecting and storing data subjects’ identity documents without their express consent” as part of contracts that were concluded during that month. More precisely, contracts signed between Orange Romania and its customers were deemed invalid, as they contained a clause stating that customers have been informed of and consent to the collection and storage of their identity documents. The box to tick if a customer gives consent has already been pre-ticked.
Read our regular reviews of data protection law rulings to stay up to date!
Valid consent in a contract
As mentioned above, the CJEU reinstates in Orange Romania vs ANSPDCP that pre-ticked boxes in a contract are not valid. According to Article 4 (11) GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes (…) by a statement or a clear and affirmative action”. “Freely given” consent suggests that the data subject has a free and actual choice and can refuse or withdraw consent without being disadvantaged. For instance, consent is not freely given if you require individuals to consent to the processing of personal data as a condition to provide your service unless the processing is strictly necessary to provide that service. A pre-ticked box in a contract cannot fulfil the requirement of “freely given” consent.
In addition, data controllers must be able to demonstrate the existence of valid consent, as required by the principles of lawfulness of processing and accountability. Pre-ticked boxes do not enable a data controller to establish evidence of valid consent.
Furthermore, data controllers must inform data subjects of their choice. This means that the information relating to personal data processing must be in an intelligible and easily accessible form, using clear and plain language, which in written contracts is seldom the case. Also, contractual terms must not mislead data subjects with regard to their freedom to conclude a contract, despite refusing to consent to the processing, without facing adverse effects.
The contract between Orange Romania and its customers merely provides the possibility to complete an additional form to refuse processing. In that regard, the CJEU found that the freedom to choose to object to that collection and storage is unduly affected by the controller requiring the data subject to take extra action to refuse consent (but not to give consent).
Upon this basis, the pre-ticked boxes in the contract are not valid. The CJEU thereby reinstates its approach on consent, as further clarified in the latest European Data Protection Board (EDPB) Guidelines on consent under the GDPR.
How to obtain valid contractual consent?
Generally, companies that wish to process data subjects’ personal data must obtain valid consent.
The decision of the CJEU in Orange Romania vs ANSPDCP has an impact on any service provider who relies on standardised and pre-formulated clauses to obtain consent. To make sure that you process customers’ personal data in a compliant manner, in addition to the guidelines on the definition and content of valid consent, please make sure that you can demonstrate that your customers have freely given their consent and that how you obtain the consent is clear and precise and not misleading or confusing.
Furthermore, make sure that it is as easy for customers to refuse consent as it is to give consent.