Consent is "express permission" granted to you by an individual to process information in a way you declare to them specifically for that purpose.
It is one of the 6 Legal Basis you can use for processing (recording, storing, editing or sharing) personal data. Consent is most often needed when you want permission to use personal data for reasons other than your corse service.
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
A builder might record (process) your address so they can find your property to fulfil a contracted service. However, they would need to get your consent (permission) to be able to use your address for a different purpose such as to send promotional leaflets to you.
What the regulator says
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.
You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
Why is consent important?
Consent is one lawful basis for processing, and explicit consent can also legitimise use of special category data. Consent may also be relevant where the individual has exercised their right to restriction, and explicit consent can legitimise automated decision-making and overseas transfers of data.
Genuine consent should put individuals in control, build trust and engagement, and enhance your reputation.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines.
When is consent appropriate?
Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative.
Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.
Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.
What is valid consent?
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
How should we obtain, record and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
- the name of your organisation;
- the name of any third party controllers who will rely on the consent;
- why you want the data;
- what you will do with it; and
- that individuals can withdraw consent at any time.
You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
Keep records to evidence consent – who consented, when, how, and what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
- GDRP - Definitions - Article 4 (11)
- GDRP - Lawfulness of Processing - Article 6 (1a)
- GDRP - Conditions for Consent - Article 7
- GDRP - Conditions applicable to child's consent in relation to information society services
- Article 8
- GDRP -Processing of special categories of personal data- Article 9 (2a)
- GDPR - Recital 32, 38, 40, 42, 43, 171