How should we obtain, record and manage consent?
In detail
- How should we write a consent request?
- What information should a consent request include?
- What methods can we use to indicate consent?
- How should we record consent?
- How should we manage consent?
- How should we manage the right to withdraw consent?
How should we write a consent request?
Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.
Article 7(2) says:
“If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
You should:
- keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
- use clear, straightforward language;
- adopt a simple style that your intended audience will find easy to understand – this is particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
- avoid technical or legal jargon and confusing terminology (eg double negatives);
- use consistent language and methods across multiple consent options; and
- keep your consent requests concise and specific, and avoid vague or blanket wording.
Further reading – ICO guidance
What information should a consent request include?
Consent must be specific and informed. You must as a minimum include:
- the name of your organisation and the names of any other controllers who will rely on the consent – consent for categories of third-party controllers will not be specific enough;
- why you want the data (the purposes of the processing);
- what you will do with the data (the processing activities); and
- that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.
This is separate from the transparency requirements of the right to be informed. You must also make sure you give individuals sufficient privacy information to comply with their right to be informed, but you don’t have to do this all in the consent request and there is more scope for a layered approach.
There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of controllers, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.
If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.
You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide clear and comprehensive privacy information, but – as noted above - this is different from a consent request and there is more scope for a layered approach.
You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.
See ‘What is valid consent?’ for more on the requirement for consent to be specific and informed.
Further reading – ICO guidance
For more guidance on a layered approach to transparency, and the use of just-in-time notices, see our Right to be informed guidance.
What methods can we use to obtain consent?
Whatever method you use must meet the standard of an unambiguous indication by clear affirmative action. This means you must ask people to actively opt in. Examples of active opt-in mechanisms include:
- signing a consent statement on a paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent;
- answering yes to a clear oral consent request;
- volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. See ‘What is explicit consent?’ for more information.
You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.
The UK GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned. Both methods bundle up consent with other matters by default, and then rely to some extent on inactivity. They also increase the likelihood of confusion and ambiguity.
The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent. You should instead use specific opt-in boxes (or another active opt-in method) to obtain consent.
If you want consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together. People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.
If you are asking for consent electronically, consent must be “not unnecessarily disruptive to the use of the service for which it is provided”. You need to ensure you adopt the most user-friendly method you can. If your processing has a minimal privacy impact and is widely understood, you may be able to justify a less prominent or granular approach, or a greater reliance on technical settings. But you must still always ensure people have genuine choice and control, and take some positive action. Disruption is not an excuse for invalid consent.
If you need to obtain an individual’s consent online, you don’t need to force people to create user accounts and sign in just so you can obtain verifiable consent. But you can of course offer this as an option, in case people want to save their preferences. Article 11 makes it clear that you don’t have to get additional information to identify the individual in order to comply.
Instead, you could for example link the consent to a temporary session ID. Clearly, after the session ends and the link between the individual and the session is destroyed, you will need to seek fresh consent each time the individual returns to your website.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See What are the rules on children’s consent?
See ‘What is valid consent?’ for more on what the UK GDPR says about unambiguous indications of consent by clear affirmative action.
Further reading – ICO guidance
How should we record consent?
Article 7(1) says:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This means you must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged. You should keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Good records will also help you to monitor and refresh consent as appropriate. You must keep good records that demonstrate the following:
- Who consented: the name of the individual, or other identifier (eg, online user name, session ID).
- When they consented: a copy of a dated document, or online records that include a timestamp; or, for oral consent, a note of the time and date which was made at the time of the conversation.
- What they were told at the time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy or other privacy information, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
- How they consented: for written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation - it doesn’t need to be a full record of the conversation.
- Whether they have withdrawn consent: and if so, when.
Consent should be specific and granular, so your records also need to be specific and granular to demonstrate exactly what the consent covers.
For online consent, you may be able to use an appropriate cryptographic hash function to support data integrity.
How should we manage consent?
Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.
It is good practice to provide preference-management tools like privacy dashboards to allow people to easily access and update their consent settings.
If you don’t offer a privacy dashboard, you need to provide other easy ways for people to withdraw consent at any time they choose. See ‘How should you manage the right to withdraw consent?’
You should keep your consents under review. You will need to refresh them if anything changes – for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough. If you rely on parental consent, bear in mind that you may need to refresh consent more regularly as the children grow up and can consent for themselves. If you are in any doubt about whether the consent is still valid, you should refresh it. See ‘How long does consent last?’ for more on this.
You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement.
If you are not in regular contact with individuals, you could also consider sending occasional reminders of their right to withdraw consent and how to do so.
Further reading – ICO guidance
For more on preference-management tools, see our guidance on the Right to be informed.
How should we manage the right to withdraw consent?
The UK GDPR gives people a specific right to withdraw their consent. You need to ensure that you put proper withdrawal procedures in place.
Article 7(3) says:
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
As the right to withdraw is ‘at any time’, it’s not enough to provide an opt-out only by reply. The individual must be able to opt out at any time they choose, on their own initiative.
It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
It is good practice to publicise both online preference-management tools and other ways of opting out, such as customer-service phone numbers. You should bear in mind that not everyone is confident with technology or has easy access to the internet. If someone originally gave consent on paper or in person, it may not be enough to offer only an online opt-out.
It is also good practice to provide both anytime opt-out mechanisms, such as privacy dashboards, and opt-out by reply to every contact. This could include an unsubscribe link in an email, or an opt-out phone number, address or web link printed in a letter.
The UK GDPR does not prevent a third party acting on behalf of an individual to withdraw their consent, but you need to be satisfied that the third party has the authority to do so. This leaves the door open for sectoral opt-out registers or other broader shared opt-out mechanisms, which could help individuals regain control they might feel they have lost. It might also help to demonstrate that consent is as easy to withdraw as it was to give.
Example
The Fundraising Regulator has set up the Fundraising Preference Service (FPS). The FPS operates as a mechanism to withdraw consent to charity fundraising in England, Wales and Northern Ireland. If an individual wishes to stop receiving marketing from particular charities, they can use the FPS to withdraw consent from those specific charities.
Individuals must be able to withdraw their consent to processing without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given. See ‘When is consent valid?’ for more on freely given consent.
If someone withdraws their consent, this does not affect the lawfulness of the processing up to that point. However, it does mean you can no longer rely on consent as your lawful basis for processing. You will need to stop any processing that was based on consent. You are not able to swap to a different lawful basis for this processing (although you may be able to retain the data for a different purpose under another lawful basis if it is fair to do so – and you should have made this clear from the start). Even if you could originally have relied on a different lawful basis, once you choose to rely on consent you are handing control to the individual. It is inherently unfair to tell people they have a choice, but then continue the processing after they withdraw their consent.
If someone withdraws consent, you should stop the processing as soon as possible. In some cases it will be possible to stop immediately, particularly in an online automated environment. However, in other cases you may be able to justify a short delay while you process the withdrawal.
Withdrawals of consent also apply to special category data where explicit consent is being used. Therefore if you are using explicit consent as your Article 9 condition and the individual withdraws their consent you can no longer use this as your condition. However, unlike Article 6, it could be possible for you to use a different Article 9 condition instead but you still need to ensure that this is communicated to the individual and is fair.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent.
In some cases you may need to keep a record of the withdrawal of consent for your own purposes – for example, to maintain suppression records so that you can comply with direct marketing rules. You don’t need consent for this, as long as you tell individuals that you will keep these records, why you need them, and your lawful basis for this processing (eg legal obligation or legitimate interests).