General Data Protection Regulation (GDPR)
Consent under the GDPR
Consent is a core principle of data protection law. It is one of the lawful basis for processing personal data, but it may not always be appropriate or easiest for organisations to rely on.
There are five other lawful bases you can consider - see legal basis for processing of personal data.
GDPR definition of consent
The definition of consent under the GDPR doesn't drastically change from the preceding legislation, but it raises the bar on how you should ask for, record and manage consent.
Under the GDPR, consent means 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.
Conditions for consent
Under the GDPR, consent will only be valid if:
- It is freely given - ie it gives people genuine choice and control over how you use their data.
- It is obvious and requires a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand.
- It is specific and informed - a consent request must cover the controller's name, the purposes of the processing and the types of processing activity.
- It is expressly confirmed in words - in case of explicit consent - rather than by any other positive action.
Find out what makes consent valid.
When do you need consent?
You may need consent in a number of circumstances. For example:
- if no other legal basis for data processing applies
- if you want to use or share someone's data in unexpected or potentially intrusive ways
- if you are using special category data, you may need explicit consent to legitimise the processing (unless specific conditions apply)
- for many types of marketing calls and messages, website cookies and online tracking - you can find rules for this in the Privacy and Electronic Communications Regulations (PECR).
It's worth noting that the European Union is in the process of replacing current e-privacy laws (and therefore PECR). The new e-privacy regulation is likely to apply the GDPR definition of consent, but the final text has yet to be agreed.
When should you not use consent?
Consent may be inappropriate if:
- you can't offer people a genuine choice over how they use their data
- you could process data on a different lawful basis if consent is refused or withdrawn
- you ask for consent as a precondition of accessing your services
- you are in a position of power over the individual, eg an employer processing employee data
How to seek consent to process personal data?
In practice, the high standards of consent under the GDPR mean that you can no longer rely on passive acceptance of consent, such as silence, pre-ticked boxes or inactivity. In fact, you must:
- obtain consent upfront, before processing begins (eg through privacy notices)
- make consent requests clear and simple to understand
- tell people clearly what you do with their consent, and whether you do any processing on a different lawful basis
- be able to verify consent
- provide clear and more granular opt-in methods
- diligently document any records of consent
- offer easy ways for people to withdraw consent at any time
- avoid making consent a condition of a contract
When processing the data of children in the context of online services, you must also ensure that you can verify their age and obtain the consent of a legal guardian. Find out more about children's consent for online services and processing children's personal data.
Specific provisions apply to consent for scientific research purposes.
Requirement to prove consent
The GDPR places the burden of proof with organisations to show that they have lawfully obtained consent. If you rely on consent for processing personal data, you should review:
- how you seek, obtain and record consent
- if the consent you obtained meets the standards required by the GDPR
- if the agreements you have in place with business partners comply with the GDPR
- your audit trail, particularly if a third party obtains consent on your behalf
Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent. Consider these alternatives to consent.
Consent and individual rights
Individuals' rights will be affected if you rely on consent for processing their personal data. In addition to the right to be informed, they will also have:
- the right to erasure (also known as 'the right to be forgotten')
- the right to data portability
- the right to withdraw consent - which in effect operates as a right to stop the processing
However, where processing is based on consent, they won't have the right to object. See more on data subject rights under the GDPR.
The Information Commissioner's Office (ICO) has produced an interactive tool to help you determine which lawful basis is likely to be most appropriate for your processing activities. Use the ICO's lawful basis interactive guidance tool.
If you decide to use consent as your legal basis, see also Article 29 Working Party guidance on complying with the consent requirements of the GDPR.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.