Consent requirements

The Swedish Post and Telecom Authority (PTS) has published new guidelines for telecom providers on how to obtain consent from subscribers.

PTS has recently carried out supervision relating to processing of data for certain purposes, such as marketing, for which the subscriber's prior consent is required. The supervision comprised assessments of the providers' general terms and conditions, in which the information relating to consent is included. During the supervision, PTS noted several shortcomings relating both to the forms for obtaining the consent, as well as to the information to be given to the subscriber prior to the consent. Remedies have been described in the guidelines as non-binding instructions on how to obtain an acceptable consent.

As regards the forms for obtaining the consent, PTS found that providers in general did not highlight the fact that consent was obtained, but instead put the information relating to consent somewhat hidden in the general terms and conditions. This could, according to PTS, easily be misinterpreted by the subscriber as being part of the agreement, and not as the unilateral act of approval from the subscriber it should be. Moreover, the providers put information relating to consent in different places; in different sections of the general terms and conditions, but also, in many cases, in additional information on the website. Such separation is, according to PTS, not comprehendible or accessible for an average subscriber, nor is it acceptable to put required information relating to consent on a website that could be continuously modified.

Furthermore, the consent shall, according to the guidelines, be limited to such processing of data that the provider will actually carry out. If the provider wishes to expand the processing beyond the scope of an already obtained consent, the provider must give the subscriber additional information and obtain a new consent.

The information to be given to the subscriber prior to obtaining consent includes

  1. the data to be processed (e.g. "name", "address", "IP address"),
  2. the purpose of the processing of data (e.g. "to remove malicious software") ,
  3. the type of processing to be carried out (e.g. "storing" or "filtering"), and
  4. the duration of the processing of data, if the processing includes traffic data (e.g. "during a maximum of 1 minute").

The guidelines are currently being translated into English.

For further information, please contact:
Karin Lodin, Legal adviser at the Network Security Department