When must we have consent?
You are likely to need to consider consent when no other lawful basis obviously applies. For example, this may be the case if you want to use or share someone’s data in a particularly unexpected or potentially intrusive way, or in a way that is incompatible with your original purpose.
If you are using special category data, you may to need to seek explicit consent to legitimise the processing, unless one of the other specific conditions in Article 9(2) applies. Note that some of the other conditions still require you to consider consent first, or to get consent for some elements of your processing. For example, if you are a not-for-profit body and you choose to rely on Article 9(2)(d), you still need explicit consent to disclose the data to any third party controllers.
You are also likely to need consent under e-privacy laws for many types of marketing calls and marketing messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). The EU is in the process of replacing the current e-privacy law (and therefore PECR) with a new e-privacy Regulation (ePR). However the new ePR is yet to be agreed. The existing PECR rules continue to apply until the ePR is finalised, but will apply the GDPR definition of consent.
If you need consent under e-privacy laws to send a marketing message, then in practice consent is also the appropriate lawful basis under the GDPR. If e-privacy laws don’t require consent for marketing, you may be able to consider legitimate interests instead.
If you need consent to place cookies, this needs to meet the GDPR standard. However, you may still be able to consider an alternative lawful basis such as legitimate interests for any associated processing of personal data.
In what other circumstances might consent be appropriate?
Consent is likely to be the most appropriate lawful basis for processing (or the appropriate gateway through other relevant provisions) if you want to offer individuals real choice and control over how you use their data. In particular, you may want to consider using consent to improve their level of engagement with your organisation and encourage them to trust you with more useful data.
However, whether consent is appropriate and valid will always depend on the particular circumstances.
See also ‘What are the benefits of getting consent right?’
When is it appropriate to use consent for special category data?
If you want to process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9, as supplemented by Schedule 1 of the Data Protection Act 2018.
The first condition listed in Article 9 is ‘explicit consent’. However, this does not mean it is always the best or most appropriate condition. You should always consider whether any of the other conditions better fit the particular situation.
Your choice of lawful basis under Article 6 does not necessarily dictate which Article 9 condition you have to apply. Even if you did not rely on consent as your lawful basis for processing, you can still consider ‘explicit consent’ as your Article 9 condition for any special category data. However, you must remember that explicit consent must meet the GDPR standard for valid consent, and can be withdrawn at any time.
See ‘What is valid consent?’ for more on what counts as ‘explicit’ consent.
If you need to process special category data to provide a service the individual has requested, the most appropriate lawful basis is likely to be ‘necessary for contract’. But explicit consent may still be available as your condition for processing necessary special category data. However, you must be confident that you can demonstrate consent is still freely given – in particular, that the processing is actually necessary for the service.
An individual signs up for a pregnancy yoga class. The instructor will be processing data concerning their health (ie the fact of their pregnancy along with any information about due dates) and therefore needs both a lawful basis and a condition for processing special category data.
As the instructor needs to process these details to provide the yoga class, the appropriate lawful basis is likely to be ‘performance of a contract’.
Although the individual cannot sign up to the class without revealing information about their pregnancy, explicit consent is still likely to be the appropriate condition for processing health data. The processing is objectively necessary to provide the requested class, and the individual has a free choice whether or not to sign up to that class.
Further reading – ICO guidance
For our latest guidance on conditions for processing special category data, see the Special category data page of our Guide to GDPR.
Further reading – Article 29 guidance
WP29 Guidelines on Consent (external link) contain further examples of explicit consent for special category data where processing is necessary for a service.
When is consent inappropriate?
It follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing. This may be the case if, for example:
- you would still process the data on a different lawful basis if consent were refused or withdrawn;
- you ask for ‘consent’ to the processing as a precondition of accessing your services; or
- you are in a position of power over the individual – for example, if you are a public authority or an employer processing employee data.
You would still process the data without consent
If you would still process the personal data on a different lawful basis even if consent were refused or withdrawn, then seeking consent from the individual is misleading and inherently unfair. It presents the individual with a false choice and only the illusion of control. You must identify the most appropriate lawful basis from the start.
A company that provides credit cards asks its customers to give consent for their personal data to be sent to credit reference agencies for credit scoring.
However, if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of ‘legitimate interests’. So asking for consent is misleading and inappropriate – there is no real choice. The company should have relied on ‘legitimate interests’ from the start. To ensure fairness and transparency, the company must still tell customers this will happen, but this is very different from giving them a choice in data protection terms.
Prior to processing the personal data, you need to think carefully whether you would still need to retain any of the data for any other purpose if the individual withdraws their consent. For example, you might need to keep it to comply with a legal obligation or for audit purposes. If so, you must be clear and upfront at the start what your purpose and lawful basis is for retaining that data after consent is withdrawn.
The ‘consent’ is a condition of service
If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent.
Instead, if you believe the processing is necessary for the service, the more appropriate lawful basis is likely to be ’necessary for the performance of a contract’ under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for some electronic marketing under PECR.
If processing of special category data is genuinely necessary to provide a service to the individual, you may still be able to rely on explicit consent as your condition for processing that special category data where no other Article 9 condition applies. See When is it appropriate to use consent for special category data?
It may be that the processing is a condition of service but is not actually necessary for that service. If so, consent is not just inappropriate as a lawful basis, but presumed to be invalid as it is not freely given. In these circumstances, you could consider whether ‘legitimate interests’ under Article 6(1)(f) is appropriate as your lawful basis for processing instead. You could not rely on explicit consent for any special category data in this case, and need to look for another Article 9 condition.
A café decides to provide free wifi to its customers. In order to access the wifi the customer must provide their name, email address and mobile phone number and then agree to the café’s terms and conditions.
Within the terms and conditions it states that by providing their contact details the customer is consenting to receive marketing communications from the café. The café is therefore making consent to send direct marketing a condition of accessing the service.
However collecting their customer’s details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent.
See ‘What is valid consent?’ for more on when consent is freely given.
You are in a position of power
Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual. This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.
A company asks its employees to consent to monitoring at work. However, as the employees rely on the company for their livelihood, they may feel compelled to consent, as they don’t want to risk their job or be perceived as difficult or having something to hide.
A housing association needs to collect information about the previous convictions of tenants and prospective tenants for risk-assessment purposes when allocating properties and providing home visits. However, it is inappropriate to ask for consent for this as a condition of the tenancy. A tenant applying for social housing may be in a vulnerable position and may not have many other housing options. So they may have no real choice but to sign up to the housing association’s terms. Even if the processing is necessary to provide the accommodation, their consent is not considered freely given because of the imbalance of power.
If you are a public authority or are processing employee data, or are in any other position of power over an individual, you should look for another basis for processing, such as ‘public task’ or ‘legitimate interests’.
However, public authorities and employers are not banned from using consent as their lawful basis. Even if you are in a position of power, there may be situations when you can still show that the consent is freely given.
A local council runs a number of fitness centres. It wants to find out what people think of the facilities in order to decide where to focus improvements. It decides to email a questionnaire to individuals who have fitness memberships to ask them about the facilities.
The decision as to whether or not to take part in the survey is entirely optional, and given the nature of the relationship and the survey there is no real risk of adverse consequences for failing to respond. The council could consider relying on consent to process the responses.
An employer decides to make a recruitment video for its website. It has instructed some professional actors but gives staff the opportunity to volunteer to have a role in the video. The employer makes it clear that there is no requirement for any staff to take part and participation will not be taken into account for performance evaluation purposes.
As participation is optional and there are no adverse consequences to those who do not want to take part the employer could consider consent.
However, you need to look carefully at the particular circumstances and be confident that you can demonstrate that the individual really does have a free choice to give or to refuse consent. You may need to take steps to ensure that the individual does not feel any pressure to consent and allay any concerns over the consequences of refusing consent.
The police respond to an emergency call and deal with an individual who has been a victim of a crime. The officer advises that help is available from a support service and that they can pass the individual’s details to that service if the individual wants them to.
On the face of it there is a clear imbalance of power where an individual is dealing with a uniformed police officer. If the officer suggests that the police would like to contact the support service or that this is standard practice, the imbalance of power issue will come into play as the individual may feel that they should agree. They may also fear that their case might not get as much police attention unless they agree.
However, if the officer takes care to make sure the offer of help is neutral and optional and makes clear that it is a separate service with no effect on the police investigation, then the police may be able to demonstrate that consent is freely given.
The police must also make sure the consent is specific, informed, given by a clear affirmative action, and properly documented. In particular they need to properly explain what data they will share with the support service, what it will be used for, and identify the organisation providing the service.
See ‘What is valid consent?’ for more on when consent is freely given.
Other inappropriate uses of consent
Be very careful about using other pre-existing concepts of consent out of context, as these may not always be appropriate for data protection purposes.
Even if you are under a separate legal or ethical requirement to get ‘consent’ to do something, this does not mean that you automatically have or need to have valid GDPR consent for any associated processing of personal data. In some cases, the standard of consent can be very different. It’s still important to consider your lawful basis carefully.
If you are intending to rely on consent as your lawful basis, always check that the consent also meets the GDPR standard, rather than simply assuming it applies. In particular, implied consent won’t often be appropriate as a lawful basis for processing under the GDPR.
In the healthcare sector, patient data is held under a duty of confidence. Healthcare providers generally operate on the basis of implied consent to share patient data for the purposes of direct care, without breaching confidentiality.
Implied consent for direct care is industry practice in that context. But this ‘implied consent’ to share confidential patient records is not the same as consent to process personal data in the context of a lawful basis under the GDPR.
In the healthcare context consent is often not the appropriate lawful basis under the GPDR. This type of assumed implied consent would not meet the standard of a clear affirmative act – or qualify as explicit consent for special category data, which includes health data. Instead, healthcare providers should identify another lawful basis (such as vital interests, public task or legitimate interests). For the stricter rules on special category data, Article 9(2)(h) specifically legitimises processing for health or social care purposes.
Even if you are required to get a patient’s consent to the medical treatment itself, this is entirely separate from your data protection obligations. It does not mean that you have to rely on consent for your processing of the patient’s personal data.
As a general rule, whenever you have difficulty meeting the standard for consent, this is a warning sign that consent may not be the most appropriate basis for your processing. So we recommend you look for another basis.
What are the alternatives to consent?
If you are looking for another lawful basis, these are set out in Article 6(1). In summary, you can process personal data without consent if it’s necessary for:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
- Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
- Legitimate interests: you can process personal data without consent if you need to do so for a genuine and legitimate reason (including commercial benefit), unless this is outweighed by the individual’s rights and interests. Please note however that public authorities are restricted in their ability to use this basis.
Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
If you are a public authority and can demonstrate that the processing is to perform your official functions as set down in UK law, then the ‘public task’ basis is likely to be more appropriate. If not, you may still be able to consider legitimate interests or one of the other bases. As always, you need to ensure you are fair, transparent and accountable.
If you are looking for other conditions for processing special category data, these are set out in Article 9(2) (supplemented by the Data Protection Act 2018). These are more limited and specific, and for example they include provisions covering employment law, health and social care, and research. See our guidance on special category data for more information.
The Guide to GDPR also contains more guidance on the rules for restricted processing, automated decision-making (including profiling), and overseas transfers.
Remember that even if you are not asking for consent, you still need to provide clear and comprehensive information about how you use personal data to comply with the right to be informed.