At a glance
- The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent to processing a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
Asking for consent
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
- We name our organisation and any third party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
Why is consent important?
The GDPR sets a high standard for consent, which must be unambiguous and involve a clear affirmative action (an opt-in).
It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.
You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
Consent is one lawful basis for processing, and explicit consent can also legitimise use of special category data. Consent may also be relevant where the individual has exercised their right to restriction, and explicit consent can legitimise automated decision-making and overseas transfers of data.
Genuine consent should put individuals in control, build trust and engagement, and enhance your reputation.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines.
When is consent appropriate?
Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative.
Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.
Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.
What is valid consent?
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
How should we obtain, record and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
the name of your organisation;
the name of any third party controllers who will rely on the consent;
why you want the data;
what you will do with it; and
that individuals can withdraw consent at any time.
You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
Keep records to evidence consent – who consented, when, how, and what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
In more detail – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
WP29 adopted Guidelines on consent, which have been endorsed by the EDPB.
Thank you for reading.