Using positive opt-in to gain consent by ensuring not to use pre-ticked boxes or any other type of default consent

Overview

Consent requires a positive opt-in. This means a person must actively grant consent. Consent may never be given by default.

Acceptable form of opt-in consent are:

  • signing a consent statement on a paper form;
  • ticking an opt-in box on paper or electronically;
  • clicking an opt-in button or link online;
  • selecting from equally prominent yes/no options;
  • choosing technical settings or preference dashboard settings;
  • responding to an email requesting consent;
  • answering yes to a clear oral consent request;
  • volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.

Example

You must ensure to use opt-in boxes not opt-out.

The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent. You should instead use specific opt-in boxes (or another active opt-in method) to obtain consent.

If you don’t want us to share your response with ABC company please tick here ☐
If you would like us to share your response with ABC company please tick here ☐

If you want consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing – they may want to consent to some things but not to others. 

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. 

You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.

What thre regulator says

Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

This means people must be able to refuse consent without detriment and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible.

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Article 7 also sets out further ‘conditions’ for consent, with specific provisions on:

  • keeping records to demonstrate consent;
  • prominence and clarity of consent requests;
  • the right to withdraw consent easily and at any time; and
  • freely given consent if a contract is conditional on consent

Whatever method you use must meet the standard of an unambiguous indication by clear affirmative action. This means you must ask people to actively opt in. Examples of active opt-in mechanisms include:

  • signing a consent statement on a paper form;
  • ticking an opt-in box on paper or electronically;
  • clicking an opt-in button or link online;
  • selecting from equally prominent yes/no options;
  • choosing technical settings or preference dashboard settings;
  • responding to an email requesting consent;
  • answering yes to a clear oral consent request;
  • volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. See ‘What is explicit consent?’ for more information.

You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.

The GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned. Both methods bundle up consent with other matters by default, and then rely to some extent on inactivity. They also increase the likelihood of confusion and ambiguity.

The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent. You should instead use specific opt-in boxes (or another active opt-in method) to obtain consent.

 

If you want consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.

If you are asking for consent electronically, consent must be “not unnecessarily disruptive to the use of the service for which it is provided”. You need to ensure you adopt the most user-friendly method you can. If your processing has a minimal privacy impact and is widely understood, you may be able to justify a less prominent or granular approach, or a greater reliance on technical settings. But you must still always ensure people have genuine choice and control, and take some positive action. Disruption is not an excuse for invalid consent.

If you need to obtain an individual’s consent online, you don’t need to force people to create user accounts and sign in just so you can obtain verifiable consent. But you can of course offer this as an option, in case people want to save their preferences. Article 11 makes it clear that you don’t have to get additional information to identify the individual in order to comply.

Instead, you could for example link the consent to a temporary session ID. Clearly, after the session ends and the link between the individual and the session is destroyed, you will need to seek fresh consent each time the individual returns to your website.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See What are the rules on children’s consent?

See ‘What is valid consent?’ for more on what the GDPR says about unambiguous indications of consent by clear affirmative action.

References

  • GDPR - Defintitions - Article 4 (11)
  • GDPR recitle 42