During an interesting discussion on smart grids at the Privacy & Identity Lab today, the following issue came up. European data protection regulation describes when and how organisations may process personal data. Processing of personal data can be agreed upon using a contract between the consumer and the data processor, for example. Another option is to ask for consent. Consent is for example required to place cookies, or to read data from smart meters by the regional network operators (with whom the consumer has no contract). Consent is also required for the processing of personal data by apps on mobile phones.

Basing the operation (and maybe the profitability) of your business on consent is dangerous though. The law requires that consumers must be able to effectively and immediately revoke consent at any time. To make this concrete, every appliance should have a big ‘consent’ switch that stops the flow of personal information immediately. This means your business could suddenly be deprived of the personal information it needs.

Contracts, on the other hand, cannot normally speaking be abandoned immediately. If the processing of personal data is critical to your business, it is probably wise to base this processing on contracts instead of consent.

Update (based on discussion with @simonhania and @floorter) a few minutes later: the alternative is to build trust and customer loyalty to reduce the risk of them withdrawing consent.