> Consent must be freely given, granular and revocable
“Granular” appears nowhere in the article you cite nor the related recitals (and even if the exact phrase did, the specific degree of granularity required would still be an open question.)
> Consent is only one of the six grounds for lawful data processing.
I’d argue it's two of the six, as voluntary entry into a contract which requires certain processing is a form of consent, even if the word doesn't “consent” isn't used in that provision.
But in any case, it's the one that's going to be most important to a wide range of consumer online services.
>“Granular” appears nowhere in the article you cite nor the related recitals (and even if the exact phrase did, the specific degree of granularity required would still be an open question.)
Recital 43 states:
"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
Recital 42 states in part:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
This is quite plainly worded - if you don't allow users to freely choose which data they give you and what you do with it, then you don't have valid consent. I think that "granular" is a reasonable description. There's certainly a degree of grey area, but the spirit is clear. Putting that into practice requires careful thought. Would a reasonable person understand the implications of your consent agreement? Would they be surprised or annoyed at the scope of your data collection or the use you make of that data? Could you reasonably anticipate a user being unable to properly exercise their rights to choose due to the choices you offer them?
>I’d argue it's two of the six, as voluntary entry into a contract which requires certain processing is a form of consent, even if the word doesn't “consent” isn't used in that provision.
The distinction between consent and contractual necessity is significant. If you're relying on the grounds of contractual necessity, then you can only collect and use the minimum of data for the minimum duration and process it to the minimum extent necessary to fulfil that contract (Art. 5 & recital 39). You can't keep customer data indefinitely or tack on a bunch of clauses to your T&Cs that allow you to sell that data to third parties. If you want to go beyond the absolute necessities, then you'll need to ask for consent. On the other hand, if you're relying on contractual necessity, then the conditions for consent (Art. 7) do not apply.
“Granular” appears nowhere in the article you cite nor the related recitals (and even if the exact phrase did, the specific degree of granularity required would still be an open question.)
> Consent is only one of the six grounds for lawful data processing.
I’d argue it's two of the six, as voluntary entry into a contract which requires certain processing is a form of consent, even if the word doesn't “consent” isn't used in that provision.
But in any case, it's the one that's going to be most important to a wide range of consumer online services.