Consent Detailed Guidance

Estimated reading time: 1 min
Information Commissioner’s Office, “Guide to the GDPR”, retrieved on 14th January 2021, licensed under the Open Government Licence.

This guidance discusses consent in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you apply consent in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read consent in brief in the Guide to GDPR, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

  • Why is consent important?

    In detail

    For processing to be lawful under the GDPR, you need to identify (and document) your lawful basis for the processing. There are six lawful bases listed in Article 6(1), and consent is one of them.

    If you want to process special category (sensitive) personal data, you also need to apply one of the conditions in Article 9(2). ‘Explicit consent’ is one option for legitimising the use of special category data.

    Consent can also legitimise restricted processing, and explicit consent can legitimise automated decision-making (including profiling), or overseas transfers by private-sector organisations in the absence of adequate safeguards.

    If you rely on consent, this will affect individuals’ rights. For example, they will have the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability. Although individuals do not have the right to object where processing is based on consent, they do have the right to withdraw consent – which in effect operates as a right to stop the processing.

    Basing your processing of personal data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable.

    Getting this right should be seen as essential to good customer service: it will put people at the centre of the relationship, and can help build confidence and trust. This can enhance your reputation, improve levels of engagement and encourage use of new services and products. It’s one way to set yourself apart from the competition.

    Handling personal data badly – including relying on invalid or inappropriate consent – can erode trust in your organisation and damage your reputation. Individuals won’t want to engage with you if they think they cannot trust you with their data; you do things with it that they don’t understand, want or expect; or you make it difficult for them to control how it is used or shared.

    It may also leave you open to substantial fines under the GDPR. Article 83(5)(a) states that infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

  • When is consent appropriate?

    In detail

    In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest.

    You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives. See the section on ‘What are the alternatives to consent?’.

    Similarly, explicit consent is one way to legitimise processing special category personal data, but not the only way. Article 9(2) lists nine other conditions (supplemented by schedule 1 of the Data Protection Act 2018). The alternative conditions for processing special category data are generally more restrictive and tailored to specific situations, but you should still check first whether any of them apply.

    You are likely to need to consider consent when no other lawful basis obviously applies. For example, this may be the case if you want to use or share someone’s data in a particularly unexpected or potentially intrusive way, or in a way that is incompatible with your original purpose.

    If you are using special category data, you may to need to seek explicit consent to legitimise the processing, unless one of the other specific conditions in Article 9(2) applies. Note that some of the other conditions still require you to consider consent first, or to get consent for some elements of your processing. For example, if you are a not-for-profit body and you choose to rely on Article 9(2)(d), you still need explicit consent to disclose the data to any third party controllers.

    You are also likely to need consent under e-privacy laws for many types of marketing calls and marketing messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR), they apply the GDPR definition of consent. Please note, should the ePR be adopted, we will produce further guidance.

    If you need consent under e-privacy laws to send a marketing message, then in practice consent is also the appropriate lawful basis under the GDPR. If e-privacy laws don’t require consent for marketing, you may be able to consider legitimate interests instead.

    If you need consent to place cookies, this needs to meet the GDPR standard. However, you may still be able to consider an alternative lawful basis such as legitimate interests for any associated processing of personal data.

    Further reading

    For more about the existing e-privacy rules, please see ICO's Guide to PECR (external link).

    For more information about marketing under the GDPR, see:

    Direct marketing guidance (external link)

    Legitimate interests guidance

    Consent is likely to be the most appropriate lawful basis for processing (or the appropriate gateway through other relevant provisions) if you want to offer individuals real choice and control over how you use their data. In particular, you may want to consider using consent to improve their level of engagement with your organisation and encourage them to trust you with more useful data.

    However, whether consent is appropriate and valid will always depend on the particular circumstances.

    See also ‘What are the benefits of getting consent right?’

    If you want to process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9, as supplemented by Schedule 1 of the Data Protection Act 2018.

    The first condition listed in Article 9 is ‘explicit consent’. However, this does not mean it is always the best or most appropriate condition. You should always consider whether any of the other conditions better fit the particular situation.

    Your choice of lawful basis under Article 6 does not necessarily dictate which Article 9 condition you have to apply. Even if you did not rely on consent as your lawful basis for processing, you can still consider ‘explicit consent’ as your Article 9 condition for any special category data. However, you must remember that explicit consent must meet the GDPR standard for valid consent, and can be withdrawn at any time.

    See ‘What is valid consent?’ for more on what counts as ‘explicit’ consent.

    If you need to process special category data to provide a service the individual has requested, the most appropriate lawful basis is likely to be ‘necessary for contract’. But explicit consent may still be available as your condition for processing necessary special category data. However, you must be confident that you can demonstrate consent is still freely given – in particular, that the processing is actually necessary for the service.

    Example

    An individual signs up for a pregnancy yoga class. The instructor will be processing data concerning their health (ie the fact of their pregnancy along with any information about due dates) and therefore needs both a lawful basis and a condition for processing special category data.

    As the instructor needs to process these details to provide the yoga class, the appropriate lawful basis is likely to be ‘performance of a contract’.

    Although the individual cannot sign up to the class without revealing information about their pregnancy, explicit consent is still likely to be the appropriate condition for processing health data. The processing is objectively necessary to provide the requested class, and the individual has a free choice whether or not to sign up to that class.

    Further reading - ICO guidance

    For our latest guidance on conditions for processing special category data, see the Special category data page of our Guide to GDPR.

    Further reading – European Data Protection Board

    The European Data Protection Board (EDPB) consists of representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

    The EDPB have produced Guidance on Consent.

    It follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing. This may be the case if, for example:

    • you would still process the data on a different lawful basis if consent were refused or withdrawn;
    • you ask for ‘consent’ to the processing as a precondition of accessing your services; or
    • you are in a position of power over the individual – for example, if you are a public authority or an employer processing employee data.

    You would still process the data without consent

    If you would still process the personal data on a different lawful basis even if consent were refused or withdrawn, then seeking consent from the individual is misleading and inherently unfair. It presents the individual with a false choice and only the illusion of control. You must identify the most appropriate lawful basis from the start.

    Example

    A company that provides credit cards asks its customers to give consent for their personal data to be sent to credit reference agencies for credit scoring.

    However, if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of ‘legitimate interests’. So asking for consent is misleading and inappropriate – there is no real choice. The company should have relied on ‘legitimate interests’ from the start. To ensure fairness and transparency, the company must still tell customers this will happen, but this is very different from giving them a choice in data protection terms.

    Prior to processing the personal data, you need to think carefully whether you would still need to retain any of the data for any other purpose if the individual withdraws their consent. For example, you might need to keep it to comply with a legal obligation or for audit purposes. If so, you must be clear and upfront at the start what your purpose and lawful basis is for retaining that data after consent is withdrawn.

    The ‘consent’ is a condition of service

    If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent.

    Instead, if you believe the processing is necessary for the service, the more appropriate lawful basis is likely to be ’necessary for the performance of a contract’ under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for some electronic marketing under PECR.

    If processing of special category data is genuinely necessary to provide a service to the individual, you may still be able to rely on explicit consent as your condition for processing that special category data where no other Article 9 condition applies. See 'When is it appropriate to use consent for special category data?'

    It may be that the processing is a condition of service but is not actually necessary for that service. If so, consent is not just inappropriate as a lawful basis, but presumed to be invalid as it is not freely given. In these circumstances, you could consider whether ‘legitimate interests’ under Article 6(1)(f) is appropriate as your lawful basis for processing instead. You could not rely on explicit consent for any special category data in this case, and need to look for another Article 9 condition.

    Example

    A café decides to provide free wifi to its customers. In order to access the wifi the customer must provide their name, email address and mobile phone number and then agree to the café’s terms and conditions.

    Within the terms and conditions it states that by providing their contact details the customer is consenting to receive marketing communications from the café. The café is therefore making consent to send direct marketing a condition of accessing the service.

    However collecting their customer’s details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent.

    See ‘What is valid consent?’ for more on when consent is freely given.

    You are in a position of power

    Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual. This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.

    Example

    A company asks its employees to consent to monitoring at work. However, as the employees rely on the company for their livelihood, they may feel compelled to consent, as they don’t want to risk their job or be perceived as difficult or having something to hide.

    Example

    A housing association needs to collect information about the previous convictions of tenants and prospective tenants for risk-assessment purposes when allocating properties and providing home visits. However, it is inappropriate to ask for consent for this as a condition of the tenancy. A tenant applying for social housing may be in a vulnerable position and may not have many other housing options. So they may have no real choice but to sign up to the housing association’s terms. Even if the processing is necessary to provide the accommodation, their consent is not considered freely given because of the imbalance of power.

    If you are a public authority or are processing employee data, or are in any other position of power over an individual, you should look for another basis for processing, such as ‘public task’ or ‘legitimate interests’.

    However, public authorities and employers are not banned from using consent as their lawful basis. Even if you are in a position of power, there may be situations when you can still show that the consent is freely given.

    Example

    A local council runs a number of fitness centres. It wants to find out what people think of the facilities in order to decide where to focus improvements. It decides to email a questionnaire to individuals who have fitness memberships to ask them about the facilities.

    The decision as to whether or not to take part in the survey is entirely optional, and given the nature of the relationship and the survey there is no real risk of adverse consequences for failing to respond. The council could consider relying on consent to process the responses.

    Example

    An employer decides to make a recruitment video for its website. It has instructed some professional actors but gives staff the opportunity to volunteer to have a role in the video. The employer makes it clear that there is no requirement for any staff to take part and participation will not be taken into account for performance evaluation purposes.

    As participation is optional and there are no adverse consequences to those who do not want to take part the employer could consider consent.

    However, you need to look carefully at the particular circumstances and be confident that you can demonstrate that the individual really does have a free choice to give or to refuse consent. You may need to take steps to ensure that the individual does not feel any pressure to consent and allay any concerns over the consequences of refusing consent.

    Example

    An individual receives a cancer diagnosis from their doctor. The doctor explains that there is help and support available from a cancer charity and they can pass the individual’s details to the charity if the individual wishes.

    On the face of it there is a clear imbalance of power where an individual is unwell and speaking to a qualified professional with extensive medical knowledge who is responsible for their treatment. If the doctor suggests that they should contact the charity or that this is standard practice, the imbalance of power issue will come into play as the individual may feel that they should agree. They may also fear that they might not be offered as many treatment options, or that their treatment will be affected in some way if they don’t agree.

    However, if the doctor takes care to make sure the offer of help is neutral and makes clear that it is a separate and entirely optional service with no effect on the treatment plan, then the controller may be able to demonstrate that consent is freely given.

    The doctor must also make sure the consent is specific, informed, given by a clear affirmative action, and properly documented. In particular they need to clearly identify the charity, explain what data they will share with the charity, and be clear what it will be used for.

    See ‘What is valid consent?’ for more on when consent is freely given.

    Other inappropriate uses of consent

    Be very careful about using other pre-existing concepts of consent out of context, as these may not always be appropriate for data protection purposes.

    Even if you are under a separate legal or ethical requirement to get ‘consent’ to do something, this does not mean that you automatically have or need to have valid GDPR consent for any associated processing of personal data. In some cases, the standard of consent can be very different. It’s still important to consider your lawful basis carefully.

    If you are intending to rely on consent as your lawful basis, always check that the consent also meets the GDPR standard, rather than simply assuming it applies. In particular, implied consent won’t often be appropriate as a lawful basis for processing under the GDPR.

    Example

    In the healthcare sector, patient data is held under a duty of confidence. Healthcare providers generally operate on the basis of implied consent to share patient data for the purposes of direct care, without breaching confidentiality.

    Implied consent for direct care is industry practice in that context. But this ‘implied consent’ to share confidential patient records is not the same as consent to process personal data in the context of a lawful basis under the GDPR.

    In the healthcare context consent is often not the appropriate lawful basis under the GPDR. This type of assumed implied consent would not meet the standard of a clear affirmative act – or qualify as explicit consent for special category data, which includes health data. Instead, healthcare providers should identify another lawful basis (such as vital interests, public task or legitimate interests). For the stricter rules on special category data, Article 9(2)(h) specifically legitimises processing for health or social care purposes.

    Even if you are required to get a patient’s consent to the medical treatment itself, this is entirely separate from your data protection obligations. It does not mean that you have to rely on consent for your processing of the patient’s personal data.

    As a general rule, whenever you have difficulty meeting the standard for consent, this is a warning sign that consent may not be the most appropriate basis for your processing. So we recommend you look for another basis.

    Further reading - ICO guidance

    For more information on selecting the most appropriate lawful basis for your processing, see the lawful basis pages of our Guide to GDPR and use our Lawful basis interactive guidance tool (external link)

    Further reading – European Data Protection Board

    The European Data Protection Board (EDPB) consists of representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

    The EDPB have produced Guidance on Consent.

    If you are looking for another lawful basis, these are set out in Article 6(1). In summary, you can process personal data without consent if it’s necessary for:

    • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
    • Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
    • Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
    • A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
    • Legitimate interests: you can process personal data without consent if you need to do so for a genuine and legitimate reason (including commercial benefit), unless this is outweighed by the individual’s rights and interests. Please note however that public authorities are restricted in their ability to use this basis.

    Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.

    If you are a public authority and can demonstrate that the processing is to perform your official functions as set down in UK law, then the ‘public task’ basis is likely to be more appropriate. If not, you may still be able to consider legitimate interests or one of the other bases. As always, you need to ensure you are fair, transparent and accountable.

    If you are looking for other conditions for processing special category data, these are set out in Article 9(2) (supplemented by the Data Protection Act 2018). These are more limited and specific, and for example they include provisions covering employment law, health and social care, and research. See our guidance on special category data for more information.

    The Guide to GDPR also contains more guidance on the rules for restricted processing, automated decision-making (including profiling), and overseas transfers.

    Remember that even if you are not asking for consent, you still need to provide clear and comprehensive information about how you use personal data to comply with the right to be informed.

    Further reading – ICO tool

    ICO have produced the lawful basis interactive guidance tool (external link), to give tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.

  • What is valid consent?

    In detail

    Consent is defined in Article 4(11) as:

    “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

    Article 7 also sets out further ‘conditions’ for consent, with specific provisions on:

    • keeping records to demonstrate consent;
    • prominence and clarity of consent requests;
    • the right to withdraw consent easily and at any time; and
    • freely given consent if a contract is conditional on consent.

    Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

    This means people must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible.

    The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service:

    Article 7(4) says:

    “When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

    And Recital 43 says:

    “Consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

    Example

    An online furniture store requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – but sharing the data with other stores is not necessary for that sale, so consent is not freely given and is not valid. The store could ask customers to consent to passing their data to named third parties but it must allow them a free choice to opt in or out.

    The store also requires customers to consent to their details being passed to a third-party courier who will deliver the goods. This is necessary to fulfil the order, so consent can be considered freely given - although ’performance of a contract’ is likely to be the more appropriate lawful basis.

    In some limited circumstances you might be able to overturn this presumption that bundled consent is not freely given, and argue that consent might be valid even though it is a precondition and the processing is not strictly necessary. You need to be able to demonstrate a very clear justification for this, based on the specific circumstances.

    However, this is likely to be unusual. Given the language of Article 7(4) and Recital 43, you would always be taking a risk that the consent would be considered invalid as not ‘freely given’. In general, it would be better to rely on ‘legitimate interests’ as your lawful basis in such cases, combined with clear and transparent privacy information.

    The GDPR is also clear that people must be able to refuse and withdraw consent without being penalised:

    “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

    The ICO’s view is that it may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.

    Freely given consent will also be more difficult to obtain in the context of a relationship where there is an imbalance of power – particularly for public authorities and employers. Recital 43 says:

    “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation…..”

    See the section on 'When is consent appropriate' for further guidance on imbalance of power.

    Further reading – European Data Protection Board

    The European Data Protection Board (EDPB) consists of representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

    The EDPB have produced Guidance on Consent.

    Consent needs to be specific and informed. This means it must specifically cover the following:

    • The controller’s identity: recital 42 says the individual should know the identity of the controller. This means you need to identify yourself, and also name any third party controllers who will be relying on the consent. If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified. You don’t need to name your processors in your consent request (although you do need to comply with separate transparency obligations).
    • The purposes of the processing: recital 43 says separate consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes, unless this would be unduly disruptive or confusing. And in every case, a consent request must specifically cover all purposes for which you seek consent.
    • The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities.
    • The right to withdraw consent at any time: we also advise you should include details of how to do so.

    These rules about consent requests are separate from your transparency obligations under the right to be informed, which apply whether or not you are relying on consent.

    You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language.

    If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.

    Recital 32 also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

    It is important to remember however that this is not an exemption and avoiding disruption does not override the need to ensure that consent requests are clear and specific. Some level of disruption may be necessary to obtain valid consent.

    You need to keep your consents under review and refresh them if your purposes or activities evolve beyond what you originally specified. Consent will not be specific enough if details change – there is no such thing as ‘evolving’ consent.

    Even if your new purpose is considered ‘compatible’ with your original purpose, this does not override the need for consent to be specific. If you were relying on consent you therefore need to either get fresh specific consent, or else identify a new lawful basis for the new purpose.

    See ‘How should you obtain, record and manage consent?’ for guidance on what this means in practice.

    Further reading - ICO guidance

    For more on your separate transparency obligations, see our right to be informed guidance.

    It must be obvious that the individual has consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent.

    The GDPR is clear that consent requires clear affirmative action, and Recital 32 sets out additional guidance on this:

    “Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

    Clear affirmative action means someone must take deliberate and specific action to opt in or agree to the processing, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default.

    The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent.

    The idea of an affirmative act does still leave room for implied methods of consent in some circumstances, particularly in more informal offline situations. The key issue is that there must still be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose. However, this type of implied method of indicating consent would not extend beyond what was obvious and necessary.

    Example

    An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing or any other purpose and you would need a different lawful basis to do so.

    Example

    An individual submits an online survey about their eating habits. By submitting the form they are clearly indicating consent to process their data for the purposes of the survey itself. Submitting the form will not, however, be enough by itself to show valid consent for any further uses of the information.

    Unambiguous consent also links in with the requirement that consent must be verifiable. Article 7(1) makes it clear you must be able to demonstrate that someone has consented.

    See ‘How should you obtain, record and manage consent?’ for guidance on what this all means in practice.

    Explicit consent is not defined in the GDPR, but it is not likely to be very different from the usual high standard of consent. All consent must involve a specific, informed and unambiguous indication of the individual’s wishes. The key difference is likely to be that ‘explicit’ consent must be affirmed in a clear statement (whether oral or written).

    The definition of consent says the data subject can signify agreement either by a statement (which would count as explicit consent) or by a clear affirmative action (which would not). Consent that is inferred from someone’s actions cannot be explicit consent, however obvious it might be that they consent. Explicit consent must be expressly confirmed in words.

    Individuals do not have to write the consent statement in their own words; you can write it for them. However you need to make sure that individuals can clearly indicate that they agree to the statement – for example by signing their name or ticking a box next to it.

    If you need explicit consent, you should take extra care over the wording. Even in a written context, not all consent will be explicit. You should always use an express statement of consent.

    Example

    A beauty spa gives a form to its customers on arrival which includes the following:

    Skin type and details of any skin conditions (optional):

    We will use this information to recommend appropriate beauty products.

     

    If someone enters details of their skin conditions, this is likely to be a freely given, specific, informed and unambiguous affirmative act agreeing to use of that data to make such recommendations – but is arguably still implied consent rather than explicit consent.

    Another beauty spa uses the following statement instead:

    Skin type and details of any skin conditions (optional):

    I consent to you using this information to recommend appropriate beauty products ☐

     

    If the individual ticks the box, they have explicitly consented to the processing.

    An explicit consent statement also needs to specifically refer to the element of the processing that requires explicit consent. For example, the statement should specify the nature of the special category data, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer.

    The ‘explicit’ element of any consent should also be separate from any other consents you are seeking, in line with the guidance in Recital 43 on appropriate granular control.

    You can obtain explicit consent orally, but you need to make sure you keep a record of the script.

    The GDPR does not set a specific time limit for consent. Consent is likely to degrade over time, but how long it lasts will depend on the context. You need to consider the scope of the original consent and the individual’s expectations.

    Example

    A gym runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy eating and how to get in shape for their summer holiday that year.

    As the consent request specifies a particular timescale and end point – their summer holiday – the expectation will be that these emails will cease once the summer is over. The consent will therefore expire.

    If your processing operations or purposes evolve, your original consents may no longer be specific or informed enough – and you cannot infer broader consent from a simple failure to object. If this happens, you will need to seek fresh consent or identify another lawful basis.

    If someone withdraws consent, you need to cease processing based on consent as soon as possible in the circumstances. This will not affect the lawfulness of your processing up to that point.

    Parental consent won’t automatically expire when the child reaches the age at which they can consent for themselves, but you need to bear in mind that you may need to refresh consent more regularly.

    You should keep your consents under review and consider refreshing consent at appropriate user-friendly intervals. See the section on 'How should you manage consent?' for further information.

    The GDPR does not prevent a third party acting on behalf of an individual to indicate their consent. However, you need to be able to demonstrate that the third party has the authority to do so.

    In practice, it is likely to be difficult in most cases to verify that a third party has the authority to provide consent. You also still need to be able to demonstrate that the individual was fully informed and consent was freely given.

    This is most likely to be appropriate in cases where the individual lacks the capacity to consent and someone else has specific legal authority to make decisions on their behalf.

    The GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent.

    Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed.

    It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent.

    There are no global rules on children’s consent under the GDPR, but there is a specific provision in Article 8 on children’s consent for ‘information society services’ (services requested and delivered over the internet).

    In short, if you offer these types of services directly to children (other than preventive or counselling services) and you want to rely on consent rather than another lawful basis for your processing, you must get parental consent for children under 13 (which is the age set by the UK in the Data Protection Act 2018).

    If you choose to rely on children’s consent, you will need to implement age-verification measures, and make ‘reasonable efforts’ to verify parental responsibility for those under the relevant age.

    For other types of processing, the general rule in the UK is that you should consider whether the individual child has the competence to understand and consent for themselves (the ‘Gillick competence test’). In practice, you may still need to consider age-verification measures as part of this assessment, and take steps to verify parental consent for children without competence to consent for themselves.

    Consent is one possible lawful basis for processing children’s data, but remember that it is not the only option. Sometimes another lawful basis is more appropriate and provides better protection for the child. For example, you may find it beneficial to consider ‘legitimate interests’ as a potential lawful basis instead of consent. This will help ensure you assess the impact of your processing on children and consider whether it is fair and proportionate.

    Further reading - ICO guidance

    Children and the GDPR

    Legitimate interests

    Further reading – European Data Protection Board

    The European Data Protection Board (EDPB) consists of representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

    The EDPB have produced Guidance on Consent.

    There is no rule that says you have to rely on consent to process personal data for scientific research purposes.

    Even if you have a separate ethical or legal obligation to get consent from people participating in your research, this should not be confused with GDPR consent.

    Example

    The Clinical Trials Regulations apply to clinical trials on a medical product intended for human use. This includes a requirement to obtain ‘informed consent’ from individuals to participate in the trial.

    The GDPR does not alter this requirement. Recital 161 acknowledges that it still applies, but it is an entirely separate requirement about consent to participate in the trial. It should not be confused with consent to process personal data under the GDPR, and it does not override the obligation under Article 6 of the GDPR to identify an appropriate lawful basis.

    As a separate exercise, you must also ensure that you have a lawful basis for your processing under the GDPR, as well as a condition for the processing of special category data where necessary (eg clinical trials are highly likely to involve the processing of health data). Even if individuals have consented to participate in the research, you may well find that a different lawful basis (and a different special category data condition) is more appropriate in the circumstances.

    In particular, remember that consent under the GDPR can be withdrawn at any time. There is no exemption to this for scientific research. This means that if you are relying on consent as your lawful basis and the individual withdraws their consent, you need to stop processing their personal data - or anonymise it - straight away.

    If you would not be able to fully action a withdrawal of consent – for example because deleting data would undermine the research and full anonymisation is not possible – then you should not use consent as your lawful basis (or condition for processing special category data). Consent is only valid if the individual is able to withdraw it at any time.

    Please see the section on ‘How should you manage the right to withdraw consent?’ for further information.

    If you do want to rely on consent, the GDPR acknowledges that if you are collecting personal data for scientific research, you may not be able to fully specify your precise purposes in advance.

    If you are seeking consent to process personal data for scientific research, this means you don’t need to be as specific as for other purposes. However, you should identify the general areas of research, and where possible give people granular options to consent only to certain areas of research or parts of research projects.

    Further reading - ICO guidance

    For more help on choosing the most appropriate lawful basis for your processing, see the lawful basis pages of our Guide to GDPR, and ICO's lawful basis interactive guidance tool (external link).

    Our latest guidance on the conditions for processing special category data is available on the special category data page of our Guide.

    Further reading – European Data Protection Board        

    The European Data Protection Board (EDPB) consists of representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

    The EDPB have produced Guidance on Consent.

    In summary, you do not have valid consent if any of the following apply:

    • you have any doubts over whether someone has consented;
    • the individual doesn’t realise they have consented;
    • you don’t have clear records to demonstrate they consented;
    • there was no genuine free choice over whether to opt in;
    • the individual would be penalised for refusing consent;
    • there is a clear imbalance of power between you and the individual;
    • consent was a precondition of a service, but the processing is not necessary for that service;
    • the consent was bundled up with other terms and conditions;
    • the consent request was vague or unclear;
    • you use pre-ticked opt-in boxes or other methods of default consent;
    • your organisation was not specifically named;
    • you did not tell people about their right to withdraw consent;
    • people cannot easily withdraw consent; or
    • your purposes or activities have evolved beyond the original consent.
  • How should we obtain, record and manage consent?

    In detail

    Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

    Article 7(2) says:

    “If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”

    You should:

    • keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
    • use clear, straightforward language;
    • adopt a simple style that your intended audience will find easy to understand – this is particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
    • avoid technical or legal jargon and confusing terminology (eg double negatives);
    • use consistent language and methods across multiple consent options; and
    • keep your consent requests concise and specific, and avoid vague or blanket wording.

    Further reading - ICO guidance

    Children and the GDPR

    Consent must be specific and informed. You must as a minimum include:

    • the name of your organisation and the names of any other controllers who will rely on the consent – consent for categories of third-party controllers will not be specific enough;
    • why you want the data (the purposes of the processing);
    • what you will do with the data (the processing activities); and
    • that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

    This is separate from the transparency requirements of the right to be informed. You must also make sure you give individuals sufficient privacy information to comply with their right to be informed, but you don’t have to do this all in the consent request and there is more scope for a layered approach.

    There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of controllers, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.

    If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.

    You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide clear and comprehensive privacy information, but – as noted above - this is different from a consent request and there is more scope for a layered approach.

    You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.

    See ‘What is valid consent?’ for more on the requirement for consent to be specific and informed.

    Further reading - ICO guidance

    For more guidance on a layered approach to transparency, and the use of just-in-time notices, see our Right to be informed guidance.

    Whatever method you use must meet the standard of an unambiguous indication by clear affirmative action. This means you must ask people to actively opt in. Examples of active opt-in mechanisms include:

    • signing a consent statement on a paper form;
    • ticking an opt-in box on paper or electronically;
    • clicking an opt-in button or link online;
    • selecting from equally prominent yes/no options;
    • choosing technical settings or preference dashboard settings;
    • responding to an email requesting consent;
    • answering yes to a clear oral consent request;
    • volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.

    If you need explicit consent, the opt-in needs to involve an express statement confirming consent. See ‘What is explicit consent?’ for more information.

    You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.

    The GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned. Both methods bundle up consent with other matters by default, and then rely to some extent on inactivity. They also increase the likelihood of confusion and ambiguity.

    The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent. You should instead use specific opt-in boxes (or another active opt-in method) to obtain consent.

    Example

    If you don’t want us to share your response with ABC company please tick here ☐
    If you would like us to share your response with ABC company please tick here ☐

    If you want consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.

    If you are asking for consent electronically, consent must be “not unnecessarily disruptive to the use of the service for which it is provided”. You need to ensure you adopt the most user-friendly method you can. If your processing has a minimal privacy impact and is widely understood, you may be able to justify a less prominent or granular approach, or a greater reliance on technical settings. But you must still always ensure people have genuine choice and control, and take some positive action. Disruption is not an excuse for invalid consent.

    If you need to obtain an individual’s consent online, you don’t need to force people to create user accounts and sign in just so you can obtain verifiable consent. But you can of course offer this as an option, in case people want to save their preferences. Article 11 makes it clear that you don’t have to get additional information to identify the individual in order to comply.

    Instead, you could for example link the consent to a temporary session ID. Clearly, after the session ends and the link between the individual and the session is destroyed, you will need to seek fresh consent each time the individual returns to your website.

    If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See 'What are the rules on children’s consent?'

    See ‘What is valid consent?’ for more on what the GDPR says about unambiguous indications of consent by clear affirmative action.

    Further reading - ICO guidance

    Right to be informed

    Article 7(1) says:

    “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

    This means you must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged. You should keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

    Good records will also help you to monitor and refresh consent as appropriate. You must keep good records that demonstrate the following:

    • Who consented: the name of the individual, or other identifier (eg, online user name, session ID).
    • When they consented: a copy of a dated document, or online records that include a timestamp; or, for oral consent, a note of the time and date which was made at the time of the conversation.
    • What they were told at the time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy or other privacy information, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
    • How they consented: for written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation - it doesn’t need to be a full record of the conversation.
    • Whether they have withdrawn consent: and if so, when.

    Example

    You keep a spreadsheet with ‘consent provided’ written against a customer’s name.
    You keep a copy of the customer’s signed and dated form that shows they ticked to provide their consent to the specific processing.

    Example

    You keep the time and date of consent linked to an IP address, with a web link to your current data-capture form and privacy policy.
    You keep records that include an ID and the data submitted online together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use at that date.

    Example

    You put a tick next to a customer’s name to indicate that they told you verbally that they consent.
    You keep records that include the time and date of the conversation, the name and date/version of the script used.

    Consent should be specific and granular, so your records also need to be specific and granular to demonstrate exactly what the consent covers.

    For online consent, you may be able to use an appropriate cryptographic hash function to support data integrity.

    Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.

    It is good practice to provide preference-management tools like privacy dashboards to allow people to easily access and update their consent settings.

    If you don’t offer a privacy dashboard, you need to provide other easy ways for people to withdraw consent at any time they choose. See ‘How should you manage the right to withdraw consent?’

    You should keep your consents under review. You will need to refresh them if anything changes – for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough. If you rely on parental consent, bear in mind that you may need to refresh consent more regularly as the children grow up and can consent for themselves. If you are in any doubt about whether the consent is still valid, you should refresh it. See ‘How long does consent last?’ for more on this.

    You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement.

    If you are not in regular contact with individuals, you could also consider sending occasional reminders of their right to withdraw consent and how to do so.

    Further reading - ICO guidance

    For more on preference-management tools, see our guidance on the Right to be informed.

    The GDPR gives people a specific right to withdraw their consent. You need to ensure that you put proper withdrawal procedures in place.

    Article 7(3) says:

    “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”

    As the right to withdraw is ‘at any time’, it’s not enough to provide an opt-out only by reply. The individual must be able to opt out at any time they choose, on their own initiative.

    It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

    Example

    An individual gives their consent using Company A’s online form. At a later date they decide they wish to withdraw their consent. Company A provides a phone number for withdrawing consent.
    An individual gives their consent using Company B’s online form. At a later date they decide they wish to withdraw their consent. Company B provides an online form for withdrawing consent, available from an opt-out link at the bottom of every page.

    Example

    Company C gets consent over the phone. The individual decides at a later date they wish to withdraw their consent. Company C provides a postal address for the individual to use to withdraw their consent.
    Company D also gets consent over the phone. The individual decides at a later date they wish to withdraw their consent. Company D provides a phone number for anyone wishing to withdraw their consent.

    It is good practice to publicise both online preference-management tools and other ways of opting out, such as customer-service phone numbers. You should bear in mind that not everyone is confident with technology or has easy access to the internet. If someone originally gave consent on paper or in person, it may not be enough to offer only an online opt-out.

    It is also good practice to provide both anytime opt-out mechanisms, such as privacy dashboards, and opt-out by reply to every contact. This could include an unsubscribe link in an email, or an opt-out phone number, address or web link printed in a letter.

    The GDPR does not prevent a third party acting on behalf of an individual to withdraw their consent, but you need to be satisfied that the third party has the authority to do so. This leaves the door open for sectoral opt-out registers or other broader shared opt-out mechanisms, which could help individuals regain control they might feel they have lost. It might also help to demonstrate that consent is as easy to withdraw as it was to give.

    Example

    The Fundraising Regulator has set up the Fundraising Preference Service (FPS). The FPS operates as a mechanism to withdraw consent to charity fundraising. If an individual wishes to stop receiving marketing from particular charities, they can use the FPS to withdraw consent from those specific charities.

    Individuals must be able to withdraw their consent to processing without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given. See ‘When is consent valid?’ for more on freely given consent.

    If someone withdraws their consent, this does not affect the lawfulness of the processing up to that point. However, it does mean you can no longer rely on consent as your lawful basis for processing. You will need to stop any processing that was based on consent. You are not be able to swap to a different lawful basis for this processing (although you may be able to retain the data for a different purpose under another lawful basis if it is fair to do so – and you should have made this clear from the start). Even if you could originally have relied on a different lawful basis, once you choose to rely on consent you are handing control to the individual. It is inherently unfair to tell people they have a choice, but then continue the processing after they withdraw their consent.

    If someone withdraws consent, you should stop the processing as soon as possible. In some cases it will be possible to stop immediately, particularly in an online automated environment. However, in other cases you may be able to justify a short delay while you process the withdrawal.

    Withdrawals of consent also apply to special category data where explicit consent is being used. Therefore if you are using explicit consent as your Article 9 condition and the individual withdraws their consent you can no longer use this as your condition. However, unlike Article 6, it could be possible for you to use a different Article 9 condition instead but you still need to ensure that this is communicated to the individual and is fair.

    You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent.

    In some cases you may need to keep a record of the withdrawal of consent for your own purposes – for example, to maintain suppression records so that you can comply with direct marketing rules. You don’t need consent for this, as long as you tell individuals that you will keep these records, why you need them, and your lawful basis for this processing (eg legal obligation or legitimate interests).

No questions matching current filter

Thank you for reading.

Was this article helpful?
Dislike 0
Views: 322