CNIL -Permissions are to be Distinguished from the Collection of Consent

CNIL Releases Ground Breaking Guidance

The European French Data Protection Regulator continues to lead the world in providing clarity and guidance for international data governance, and consent.  "Permissions are to be Distinguished from the Collection of Consent". 

Distinguishing 'Permission from Consent', a topic which has been resisted by privacy, security, legal, and digital identification, access and management industy.  A critical aspect for updating analogue privacy and security practices, to functional and operational digital privacy.  A stepping stone to dynamic data control and transparnecy. 

In this article CNIL explains better then we have that; 

"In their vast majority, permissions are only intended to give or block technical access to certain protected resources, regardless of the objectives (or purposes) for which the applications request it. These are therefore "technical" permissions that do not regulate the use for which the information can be processed or not. The recommendations of the CNIL concern this type of permits."

CNIL goes on to provide excellent guidance 

That, " these "technical" permissions are not designed to collect user consent, within the meaning of the GDPR and the Data Protection Act:,"  

As Global Privacy Rights advocates,

"Consent and consent preferenced are managed by humans and corresond to digital identification and data access management  permissions." 

CNIL Guidance explains that "They are only intended to give or block access to the protected resources and information of the mobile terminal regardless of the purposes pursued by the publisher of the application. The OS provider only suggests explaining within the request why access is requested. These permissions may therefore be required in situations where the user's consent is not required by the regulations. For example, access to the location is exempt from consent for the very operation of a navigation application since this data is necessary for the service. However, the OS provider requires the publisher to request permission to access this data."

In 0PN Transparency Policy, Consent is inherent to the purpose of use, this must be confirmed using what is generically referred to as a two factor consent notice(2FCN).  The 2CFN is used to generate a proof of notice recod and receipt, which is logged, aas a record of processing activity, using digitally recorded transaprency for assurance.  To initiate a session with consent, the identification of the controller is required to be presented prior to processing of personal data.  

If this is not the case, then this is permission not consent, and falls under a contractual agreement, not privacy.  If you would like to know more about 2FCN for proof of notice and evidence of consent, join GPR Community, or check out a webinar delving into a new transparency standard and framework. 

GPR - 0PN Policy iterates on privacy by design with a  'digital  transparency by design for consent by default" dialogues for permissions ,access and authorisation.