Consent

You can only use personal data if you do so "lawfully" under GDPR. One way to do this is by getting the person's consent.

Because someone can withdraw their consent at any time, however, we recommend you rely on one of the other lawful bases instead – contract or legitimate interest.

How to get consent

Consent can be on paper, online or verbal. But it must be clear:

  • that the person has freely consented
  • what they have consented to

Asking for consent

You should keep consent requests specific and separate from other terms and conditions. The request must be easy to understand and include:

  • the name of your organisation
  • the name of any third-party controllers who will rely on the consent
  • why you want the data
  • what you’ll do with it
  • how to withdraw consent at any time

You must not use pre-ticked boxes.

Recording consent

You should keep a record of consents. It should include:

  • when and how you got consent
  • what you were told at the time of consent

How long consent lasts

Consent has no time limit. How long it lasts will depend on the context. You’ll need to review and refresh consent by considering the scope of the original consent and the person's expectations.

Parental consent does not expire when a child reaches 13 (the age they can consent themselves). Here, you may need to review the consent more regularly.

Withdrawing consent

Someone must be able to withdraw consent as easily as they gave it. For example, if they gave consent through an app, they should be able to use the same app to withdraw their consent.

A data controller must make the withdrawal:

  • free of charge
  • with the same level of customer service

When consent is withdrawn, you must:

Sensitive personal data

For sensitive (special category) personal data you'll also need to make sure you meet one of the requirements in Article 9 of the GDPR.

Children and consent

Children must be at least 13 to consent. You'll need to verify their age. Children can consent using online services. Younger children will need parental consent.

The language must be clear and plain for children.

Third-party consent

When a person lacks the capacity to consent, someone else will need legal authority to consent for them, for example, under a power of attorney.

Marketing and consent

The rules around consent and marketing have changed. If you send electronic marketing or use cookies, for example, you'll need to check that your existing permissions meet the GDPR consent rules.

The new consent rules mean you must:

  • make opt-ins clear – you cannot use pre-ticked boxes
  • keep consent separate from other terms and conditions
  • not make consent a condition of signing up to a service
  • keep a clear record of all consents
  • tell your clients how they can withdraw consent at any time
  • have clear consent options, specific to the data use

You'll need to ask for consent again or choose a different legal basis if your existing permissions do not meet these new standards or are not well documented.

What's changing?

The EU is creating a new e-privacy regulation to sit alongside GDPR. This has not been agreed yet, so for now you should continue to follow Privacy and Electronic Communications Regulations (PECR) alongside GDPR.

You can read more about consent as a lawful basis on the ICO website.