UK General Data Protection Regulation (UK GDPR)
Obtaining, recording and managing consent under the UK GDPR
Consent is a core principle of data protection law and one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).
What is valid consent under the GDPR?
For consent to be valid under the UK GDPR, it must:
- be freely given - giving people genuine choice and control over how you use their data
- be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
- be obvious that the individual has consented, and what they have consented to
- require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand
Explicit consent must be expressly confirmed in words, rather than by any other positive action. Find out what makes consent valid.
When should you obtain consent under GDPR?
You may need seek consent in a number of circumstances. For example, if:
- no other legal basis for data processing applies
- you want to use or share someone's data in unexpected or potentially intrusive ways
- you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)
Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.
Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.
When should you not use consent?
You should not use consent as your lawful basis for processing if:
- you can't offer people a genuine choice over how they use their data
- you could process data on a different lawful basis if consent is refused or withdrawn
- you ask for consent as a precondition of accessing your services
- you are in a position of power over the individual, eg an employer processing employee data
You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
How to obtain consent
You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.
You should obtain consent upfront, before processing begins (eg through privacy notices).
As a minimum, your consent request must include:
- the name of your organisation and of any other controllers who will rely on the consent
- why you want the data (the purposes of the processing)
- what you will do with the data (the processing activities)
- that people can withdraw their consent at any time
You can use different methods to obtain consent, but you must ask people to actively opt in.
Examples of active opt-in mechanisms include:
- signing a consent statement on a paper form
- ticking an opt-in box on paper or electronically
- clicking an opt-in button or link online
- selecting from equally prominent yes/no options
- choosing technical settings or preference dashboard settings
- responding to an email requesting consent
- answering yes to a clear oral consent request
- volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. See more on what is explicit consent.
Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.
If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.
If you are asking for consent electronically, consent must not be “unnecessarily disruptive to the use of the service for which it is provided”, so make sure that you adopt the most user-friendly method you can.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.
How to record consent
Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:
- who consented
- when they consented
- what they were told at the time
- how they consented
- whether they have withdrawn consent (and if so, why)
An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Your obligations don't end when you get consent. You should keep your consents under review and refresh them:
- if anything changes, eg if your purposes for processing evolve
- if you rely on parental consent, when children grow up and can consent for themselves
- automatically at appropriate intervals, depending on the context, people's expectations
If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.
How long does GDPR consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Managing consent for use of personal data
In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.
What happens when someone withdraws their consent?
If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.
Consent and individuals' rights
If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:
- the right to erasure (also known as 'the right to be forgotten')
- the right to data portability
- the right to withdraw consent - which in effect operates as a right to stop the processing
However, where processing is based on consent, they won't have the right to object. See more on data subject rights under the UK GDPR.
Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
ICO Helpline0303 123 1113