Why am I being flooded with Consent requests these months?


One of the six ways that the GDPR has established as lawful data processing is through express consent. Many companies have our data without being their customers because we gave it to them for a specific purpose, e.g. supermarket loyalty cards, free newsletters we are subscribed to, etc.

Due to not being customers or having entered a legal contract that justifies processing these data (processing is the mere act of holding your data even if you do not do anything with them!) or most likely not even being subject to a legal obligation (there are many sectors that are largely unregulated, unlike in banking and insurance), we resort to the figure of legitimate interest or express consent.

Legitimate interest was already included in the previous EU Directive of 1999, but it was barely developed in the LOPD, and it is more difficult to prove because you have to assess and weight the rights and interests of both parties, assess the risks, etc. Consent is the fastest way of proving that the processing is lawful, but the consent has to be valid and it can be taken away immediately; it is not perpetual.

Title III of Act 34/2002 on Information Society and E-commerce Services (LSSI in Spanish) is responsible for the request of consents unless there is another legal basis. That is, there is nothing new in the GDPR in this respect. The issue is that the LOPD established that a tacit consent was sufficient (inaction or pre-checked boxes) and this is no longer valid, as the GDPR establishes that it must be an express consent. The LOPD continues to be effective, but if there are any contravening provisions, the GDPR prevails.