To highlight a few examples:
- Deletion requirements are strengthened with consent: The GDPR says that it must be as easy for individuals to withdraw consent as it is to give it. Consent, once withdrawn, has the consequence under the GDPR of triggering the right to erasure (aka the “right to be forgotten”) - meaning, essentially, that the business has to erase the user’s data once they withdraw consent. That in itself may not sound so bad, but there may be many legitimate reasons why a business needs to retain user data even after the user has withdrawn consent - for example, to retain a record of user transactions for accounting purposes. To be fair, the GDPR does say that the data has to be deleted only “where there is no other legal ground for the processing” - but, if such another ground does in fact exist, doesn’t that suggest the processing was never really consent-based anyway?
- Consent triggers data portability rules: If users consent to use of their data, then they are also entitled to a right of “data portability” under the GDPR - meaning that the business must provide them with the ability to extract their data from its service “in a structured, commonly used and machine-readable format”. Further, the business may also have to help the user transfer that data to another third party business. Again, this may require some engineering effort and, inevitably, some businesses will have concerns about helping their user base to migrate data to competitor platforms.
Of course, in certain cases consent may be entirely appropriate once the context, nature and purpose of the data processing has been taken into account. The point of this post is not to criticise consent, but rather to encourage businesses not to default to consent without understanding its consequences and considering the alternatives. After all, the GDPR provides five alternative (non-consent-based) grounds for allowing businesses to lawfully collect and use data, and some of these may carry less of a compliance overhead - for example, businesses that process data on the basis of their “legitimate interests” are not compelled to fulfil data portability requirements.