At a glance

  • The GDPR sets a high standard for consent.
  • Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
  • Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
  • Consent means offering individuals genuine choice and control.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Be specific and granular. Vague or blanket consent is not enough.
  • Be clear and concise.
  • Name any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent a precondition of a service.
  • Public authorities and employers will find using consent difficult.
  • Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.

Checklists

Asking for consent

☐ We have checked that consent is the most appropriate lawful basis for processing. 

☐ We have made the request for consent prominent and separate from our terms and conditions. 

☐ We ask people to positively opt in.

☐ We don’t use pre-ticked boxes, or any other type of consent by default.

☐ We use clear, plain language that is easy to understand. 

☐ We specify why we want the data and what we’re going to do with it.

☐ We give granular options to consent to independent processing operations.

☐ We have named our organisation and any third party controllers who will be relying on the consent.

☐ We tell individuals they can withdraw their consent.

☐ We ensure that the individual can refuse to consent without detriment.

☐ We don’t make consent a precondition of a service.

☐ If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.

Recording consent

☐ We keep a record of when and how we got consent from the individual.

☐ We keep a record of exactly what they were told at the time. 

Managing consent

☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.

☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.

☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.

☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

☐ We act on withdrawals of consent as soon as we can.

☐ We don’t penalise individuals who wish to withdraw consent.

In brief

What's new?

  • The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
  • The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action.
  • Consent should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service.
  • The GDPR specifically bans pre-ticked opt-in boxes.
  • It requires granular consent for distinct processing operations.
  • You must keep clear records to demonstrate consent.
  • The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
  • Public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consent.
  • You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

Why is consent important?

  • Consent is one lawful basis for processing, and consent (or explicit consent) can also legitimise use of special category data, restricted processing, automated decision-making or overseas transfers.
  • Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
  • Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to substantial fines.

When is consent appropriate? 

  • Consent is one lawful basis for processing, but there are alternatives. If consent is difficult, you should consider using an alternative basis.
  • Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate.
  • If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
  • If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.
  • Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent as it is unlikely to be freely given.

What is valid consent?

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
  • Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
  • Consent should be obvious and require a positive action to opt in.
  • Explicit consent must be expressly confirmed in words, rather than by any other positive action.
  • There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

How should you obtain, record and manage consent?

  • Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand.
  • Include the name of your organisation and any third party controllers who will be relying on the consent, why you want the data, what you will do with it, and the right to withdraw consent at any time.
  • You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default settings.
  • Wherever possible, give granular options to consent separately to different purposes and different types of processing.
  • Keep records to evidence consent – who consented, when, how, and what they were told.
  • Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
  • Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
In more detail - ICO guidance

We have analysed the feedback received to our draft consent guidance. A summary of the responses can be found on the Consultations pages of the website.

 

In more detail - Article 29 Working Party

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party are due to publish guidelines on consent in 2017 and the latest timetable is for this to be agreed and adopted in December 2017.