In detail

How is consent defined?

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Article 7 also sets out further ‘conditions’ for consent, with specific provisions on:

  • keeping records to demonstrate consent;
  • prominence and clarity of consent requests;
  • the right to withdraw consent easily and at any time; and
  • freely given consent if a contract is conditional on consent.

What is ‘freely given’?

Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

This means people must be able to refuse consent without detriment, and must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions (including giving separate granular consent options for different types of processing) wherever possible.

The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service:

Article 7(4) says:

“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

And Recital 43 says:

“Consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

Example

An online furniture store requires customers to consent to their details being shared with other homeware stores as part of the checkout process. The store is making consent a condition of sale – but sharing the data with other stores is not necessary for that sale, so consent is not freely given and is not valid. The store could ask customers to consent to passing their data to named third parties but it must allow them a free choice to opt in or out.

The store also requires customers to consent to their details being passed to a third-party courier who will deliver the goods. This is necessary to fulfil the order, so consent can be considered freely given - although ’performance of a contract’ is likely to be the more appropriate lawful basis.

In some limited circumstances you might be able to overturn this presumption that bundled consent is not freely given, and argue that consent might be valid even though it is a precondition and the processing is not strictly necessary. You need to be able to demonstrate a very clear justification for this, based on the specific circumstances.

However, this is likely to be unusual. Given the language of Article 7(4) and Recital 43, you would always be taking a risk that the consent would be considered invalid as not ‘freely given’. In general, it would be better to rely on ‘legitimate interests’ as your lawful basis in such cases, combined with clear and transparent privacy information.

The GDPR is also clear that people must be able to refuse and withdraw consent without being penalised:

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

The ICO’s view is that it may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent.

Freely given consent will also be more difficult to obtain in the context of a relationship where there is an imbalance of power – particularly for public authorities and employers. Recital 43 says:

“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation…..”

See the section on when is consent appropriate for further guidance on imbalance of power.

 

What is ‘specific and informed’?

Consent needs to be specific and informed. This means it must specifically cover the following:

  • The controller’s identity: recital 42 says the individual should know the identity of the controller. This means you need to identify yourself, and also name any third party controllers who will be relying on the consent. If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified. You don’t need to name your processors in your consent request (although you do need to comply with separate transparency obligations).
  • The purposes of the processing: recital 43 says separate consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes, unless this would be unduly disruptive or confusing. And in every case, a consent request must specifically cover all purposes for which you seek consent.
  • The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities.
  • The right to withdraw consent at any time: we also advise you should include details of how to do so.

These rules about consent requests are separate from your transparency obligations under the right to be informed, which apply whether or not you are relying on consent.

You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language.

If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.

Recital 32 also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

It is important to remember however that this is not an exemption and avoiding disruption does not override the need to ensure that consent requests are clear and specific. Some level of disruption may be necessary to obtain valid consent.

You need to keep your consents under review and refresh them if your purposes or activities evolve beyond what you originally specified. Consent will not be specific enough if details change – there is no such thing as ‘evolving’ consent.

Even if your new purpose is considered ‘compatible’ with your original purpose, this does not override the need for consent to be specific. If you were relying on consent you therefore need to either get fresh specific consent, or else identify a new lawful basis for the new purpose.

See ‘How should you obtain, record and manage consent?’ for guidance on what this means in practice.

Further reading – ICO guidance

For more on your separate transparency obligations, see our right to be informed guidance.

What is an unambiguous indication (by statement or clear affirmative action)?

It must be obvious that the individual has consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent.

The GDPR is clear that consent requires clear affirmative action, and Recital 32 sets out additional guidance on this:

“Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

Clear affirmative action means someone must take deliberate and specific action to opt in or agree to the processing, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default.

The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent.

The idea of an affirmative act does still leave room for implied methods of consent in some circumstances, particularly in more informal offline situations. The key issue is that there must still be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose. However, this type of implied method of indicating consent would not extend beyond what was obvious and necessary.

Example

An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent does not extend to using those details for marketing or any other purpose and you would need a different lawful basis to do so.

Example

An individual submits an online survey about their eating habits. By submitting the form they are clearly indicating consent to process their data for the purposes of the survey itself. Submitting the form will not, however, be enough by itself to show valid consent for any further uses of the information.

Unambiguous consent also links in with the requirement that consent must be verifiable. Article 7(1) makes it clear you must be able to demonstrate that someone has consented.

See ‘How should you obtain, record and manage consent?’ for guidance on what this all means in practice.

What is ‘explicit consent’?

Explicit consent is not defined in the GDPR, but it is not likely to be very different from the usual high standard of consent. All consent must involve a specific, informed and unambiguous indication of the individual’s wishes. The key difference is likely to be that ‘explicit’ consent must be affirmed in a clear statement (whether oral or written).

The definition of consent says the data subject can signify agreement either by a statement (which would count as explicit consent) or by a clear affirmative action (which would not). Consent that is inferred from someone’s actions cannot be explicit consent, however obvious it might be that they consent. Explicit consent must be expressly confirmed in words.

Individuals do not have to write the consent statement in their own words; you can write it for them. However you need to make sure that individuals can clearly indicate that they agree to the statement – for example by signing their name or ticking a box next to it.

If you need explicit consent, you should take extra care over the wording. Even in a written context, not all consent will be explicit. You should always use an express statement of consent.

Example

A beauty spa gives a form to its customers on arrival which includes the following:

Skin type and details of any skin conditions (optional):

 

We will use this information to recommend appropriate beauty products.

If someone enters details of their skin conditions, this is likely to be a freely given, specific, informed and unambiguous affirmative act agreeing to use of that data to make such recommendations – but is arguably still implied consent rather than explicit consent.

Another beauty spa uses the following statement instead:

Skin type and details of any skin conditions (optional):

 

I consent to you using this information to recommend appropriate beauty products

If the individual ticks the box, they have explicitly consented to the processing.

An explicit consent statement also needs to specifically refer to the element of the processing that requires explicit consent. For example, the statement should specify the nature of the special category data, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer.

The ‘explicit’ element of any consent should also be separate from any other consents you are seeking, in line with the guidance in Recital 43 on appropriate granular control.

You can obtain explicit consent orally, but you need to make sure you keep a record of the script.

How long does consent last?

The GDPR does not set a specific time limit for consent. Consent is likely to degrade over time, but how long it lasts will depend on the context. You need to consider the scope of the original consent and the individual’s expectations.

Example

A gym runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy eating and how to get in shape for their summer holiday that year.

As the consent request specifies a particular timescale and end point – their summer holiday – the expectation will be that these emails will cease once the summer is over. The consent will therefore expire.

If your processing operations or purposes evolve, your original consents may no longer be specific or informed enough – and you cannot infer broader consent from a simple failure to object. If this happens, you will need to seek fresh consent or identify another lawful basis.

If someone withdraws consent, you need to cease processing based on consent as soon as possible in the circumstances. This will not affect the lawfulness of your processing up to that point.

Parental consent won’t automatically expire when the child reaches the age at which they can consent for themselves, but you need to bear in mind that you may need to refresh consent more regularly.

You should keep your consents under review and consider refreshing consent at appropriate user-friendly intervals. See the section on how should you manage consent? for further information.

Can a third party give consent on an individual’s behalf?

The GDPR does not prevent a third party acting on behalf of an individual to indicate their consent. However, you need to be able to demonstrate that the third party has the authority to do so.

In practice, it is likely to be difficult in most cases to verify that a third party has the authority to provide consent. You also still need to be able to demonstrate that the individual was fully informed and consent was freely given.

This is most likely to be appropriate in cases where the individual lacks the capacity to consent and someone else has specific legal authority to make decisions on their behalf.

What are the rules on capacity to consent?

The GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent.

Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed.

It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent.

What are the rules on children’s consent?

There are no global rules on children’s consent under the GDPR, but there is a specific provision in Article 8 on children’s consent for ‘information society services’ (services requested and delivered over the internet).

In short, if you offer these types of services directly to children (other than preventive or counselling services) and you want to rely on consent rather than another lawful basis for your processing, you must get parental consent for children under 13 (which is the age set by the UK in the Data Protection Act 2018).

If you choose to rely on children’s consent, you will need to implement age-verification measures, and make ‘reasonable efforts’ to verify parental responsibility for those under the relevant age.

For other types of processing, the general rule in the UK is that you should consider whether the individual child has the competence to understand and consent for themselves (the ‘Gillick competence test’). In practice, you may still need to consider age-verification measures as part of this assessment, and take steps to verify parental consent for children without competence to consent for themselves.

Consent is one possible lawful basis for processing children’s data, but remember that it is not the only option. Sometimes another lawful basis is more appropriate and provides better protection for the child. For example, you may find it beneficial to consider ‘legitimate interests’ as a potential lawful basis instead of consent. This will help ensure you assess the impact of your processing on children and consider whether it is fair and proportionate.

Further reading – ICO guidance

Children and the GDPR

Legitimate interests

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 adopted Guidelines on consent, which have been endorsed by the EDPB.

What are the rules on consent for scientific research purposes?

There is no rule that says you have to rely on consent to process personal data for scientific research purposes.

Even if you have a separate ethical or legal obligation to get consent from people participating in your research, this should not be confused with GDPR consent.

Example

The Clinical Trials Regulations apply to clinical trials on a medical product intended for human use. This includes a requirement to obtain ‘informed consent’ from individuals to participate in the trial.

The GDPR does not alter this requirement. Recital 161 acknowledges that it still applies, but it is an entirely separate requirement about consent to participate in the trial. It should not be confused with consent to process personal data under the GDPR, and it does not override the obligation under Article 6 of the GDPR to identify an appropriate lawful basis.

As a separate exercise, you must also ensure that you have a lawful basis for your processing under the GDPR, as well as a condition for the processing of special category data where necessary (eg clinical trials are highly likely to involve the processing of health data). Even if individuals have consented to participate in the research, you may well find that a different lawful basis (and a different special category data condition) is more appropriate in the circumstances.

In particular, remember that consent under the GDPR can be withdrawn at any time. There is no exemption to this for scientific research. This means that if you are relying on consent as your lawful basis and the individual withdraws their consent, you need to stop processing their personal data - or anonymise it - straight away.

If you would not be able to fully action a withdrawal of consent – for example because deleting data would undermine the research and full anonymisation is not possible – then you should not use consent as your lawful basis (or condition for processing special category data). Consent is only valid if the individual is able to withdraw it at any time.

Please see the section on ‘how should you manage the right to withdraw consent?’ for further information.

If you do want to rely on consent, the GDPR acknowledges that if you are collecting personal data for scientific research, you may not be able to fully specify your precise purposes in advance.

If you are seeking consent to process personal data for scientific research, this means you don’t need to be as specific as for other purposes. However, you should identify the general areas of research, and where possible give people granular options to consent only to certain areas of research or parts of research projects.

Further reading – ICO guidance

For more help on choosing the most appropriate lawful basis for your processing, see the lawful basis pages of our Guide to GDPR, and our lawful basis interactive guidance tool.

Our latest guidance on the conditions for processing special category data is available on the special category data page of our Guide.

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 adopted Guidelines on consent, which have been endorsed by the EDPB.

When is consent invalid?

In summary, you do not have valid consent if any of the following apply:

  • you have any doubts over whether someone has consented;
  • the individual doesn’t realise they have consented;
  • you don’t have clear records to demonstrate they consented;
  • there was no genuine free choice over whether to opt in;
  • the individual would be penalised for refusing consent;
  • there is a clear imbalance of power between you and the individual;
  • consent was a precondition of a service, but the processing is not necessary for that service;
  • the consent was bundled up with other terms and conditions;
  • the consent request was vague or unclear;
  • you use pre-ticked opt-in boxes or other methods of default consent;
  • your organisation was not specifically named;
  • you did not tell people about their right to withdraw consent;
  • people cannot easily withdraw consent; or
  • your purposes or activities have evolved beyond the original consent.