In January the UK’s data protection authority – the Information Commissioner’s Office (ICO) – issued its first formal account, an overview, of how it was interpreting the GDPR and how it saw matters proceeding from there. I’m sorry I didn’t blog about it at the time. I missed it in amongst everything else that was going on that month.
On Thursday of this week the ICO published a consultation document on a key part of the GDPR – the issue of consent.
It opens with the definition of consent taken from the GDPR itself (Article 4, 11)
Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
That should be easy then.
Anyway, the specific point about children is made in the paper on page 27
We’ll be developing further specific guidance on children’s privacy. It will include more detail on identifying an appropriate lawful basis for processing children’s data, and issues around age verification and parental authorisation. (emphasis added).
Comments are sought on the draft and the closing date is 31st March. I’m guessing that drafting the specific guidance referred to will take a little longer than that but, either way, the starting gun has gone off.