What Is Consent Under the GDPR?
The General Data Protection Regulation (GDPR) is well known for its strict rules on data subject consent. Requesting GDPR consent means giving people a real choice and allowing them to change their minds.
This article will consider when you shouldn’t request consent, when you should seek consent, and how to request consent under the GDPR.
When to Get Consent Under the GDPR
The GDPR doesn’t always require consent. However, the GDPR does always require a “legal basis” (or “lawful basis”) to process (collect, store, share, or otherwise use) personal data.
But “consent” is just one of six options for processing personal data. As such, it’s easier to start by explaining when you don’t need consent.
When Not to Get Consent Under the GDPR
You shouldn’t request consent if you need to process personal data under another legal basis, including:
- To enter into a contract with the data subject or perform obligations under a contract with the data subject (“contract”).
- To comply with the law (“legal obligation”).
- To protect someone’s life or health (“vital interests”).
- To perform a task in the public interest under official authority (“public task”).
- For the purposes of your “legitimate interests”.
If one of the above legal bases applies, consent is likely to be inappropriate.
Because under the GDPR, “consent” means “consent”—people must have a genuine or free choice and be able to change their minds.
Here are three examples of why consent is not always the most appropriate lawful basis:
- If you ask for an employee’s consent before sending payroll information to the tax authorities, they can say “no”—and you’d be enabling tax evasion (use “legal obligation” instead).
- If you ask a customer for consent before you process their credit card details, they could say “no”—and you wouldn’t get paid (use “contract” instead).
- If you’re a doctor, and you ask someone who’s been knocked unconscious for consent to check their medical records, they won’t answer—and their health will suffer (use “vital interests” instead).
There are countless situations in which “consent” doesn’t work. But consent is still a very important concept under the GDPR.
When Do You Need Consent Under the GDPR?
The GDPR doesn’t specify when consent is required. This is a decision for the “data controller” — any company that decides why and how to process personal data.
But there are some examples of when consent is obligatory under other another law: the ePrivacy Directive.
Do You Need Consent for Marketing?
You’ll usually need a person’s consent before you can send electronic marketing communications, i.e., marketing via email, SMS, instant messaging, or phone.
There are circumstances in which consent is not required for electronic marketing, such as if you are sending marketing messages to existing customers and you’ve offered them an opt-out.
For more information, read Email Marketing in Europe: How to Comply With the Law.
Do You Need Consent for Cookies?
You usually need consent for setting cookies (or other technologies that can access or store information) on a person’s device. But again, there are exceptions.
Under the ePrivacy Directive, so-called “essential” or “strictly necessary” cookies don’t require consent.
Many data protection authorities also exclude certain privacy-friendly analytics services from the ePrivacy Directive’s consent rules.
Try Wide Angle Analytics!
However, you need consent for most cookies used for marketing and other “non-essential” purposes.
Do You Need Consent to Collect Sensitive Data?
Under the GDPR, getting “explicit consent” is one option for processing special category data — sensitive information about a person’s ethnicity, health, or political beliefs (among other characteristics).
But as with other processing operations, consent is not the only option for processing special category data. In fact, there are ten legal bases for processing special category data under Article 9 of the GDPR.
However, in many circumstances, getting consent will be the best option for processing any particularly sensitive personal data. The dating app Grindr received a €6.5 million GDPR fine for failing to get consent for processing special category data.
When Might We Want to Get Consent Under the GDPR?
According to the UK’s data regulator, you should get consent when “you want to offer individuals real choice and control over how you use their data”.
Here’s one way to think about consent: The “need to have” vs “nice to have” model:
- Need to have: If you need personal data for a specific purpose, consent is unlikely to be the best option.
- Nice to have: If you want personal data for a purpose unrelated to your core services, consent is likely to be the best option.
Here are some examples:
|Personal data||“Need to have”||“Nice to have”|
|Email address||To deliver a digital subscription product.||To deliver marketing emails.|
|Device information||To ensure your app works correctly on a person’s device.||To make general improvements to your product for all users.|
|Location data||To personalise search results in a service explicitly designed to provide information about local businesses.||To share with third parties who wish to provide more accurate targeted ads.|
Generally speaking, you should only request consent if you can enable the individual to freely refuse or withdraw consent.
What Is Consent Under the GDPR?
We’ve considered some situations in which consent is appropriate. We’re now going to look more closely at what the GDPR says about consent.
Consent serves several purposes in the GDPR:
- As noted, consent is one of the six legal bases for processing personal data (Article 6).
- “Explicit consent” is one of the ten legal bases for processing “special category data” (Article 9).
- Data subjects can consent to “automated individual decision-making” (Article 22).
- Data subjects can sometimes consent to international data transfers without appropriate safeguards (Article 49).
- Parental consent is required to provide “information society services” (online services) directly to a child (Article 8).
- Consent can be a valid basis for “further processing” personal data in a way that is incompatible with the purpose for which it was originally collected (Article 6).
Now let’s learn what consent means under the GDPR.
How Does the GDPR Define ‘Consent’?
Here’s how the GDPR defines “consent”, at Article 4(1)(11):
“‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
We can break this definition down into five elements. Under the GDPR, consent is:
- Freely given.
- Given by a clear, affirmative action.
Article 7 of the GDPR and the GDPR’s recitals build on this core consent definition.
What Is Freely-Given Consent?
The GDPR requires freely given consent. Consent under the GDPR is always “opt-in”.
Unlike under some other laws, there is no concept of “assumed consent” or “opt out consent” under the GDPR. However, the legal basis of “legitimate interests” shares some similarities with “assumed consent”.
Some of the GDPR’s recitals discuss the conditions of freely given consent:
- The data controller must not require the data subject to consent in order to access goods or services under a contract (Recital 43).
- There shouldn’t be a “clear imbalance” between the data subject and the data controller requesting consent (for example, if the data controller is a public authority) (Recital 43).
- The data subject should be able to refuse or withdraw consent without experiencing any detriment (Recital 42).
What Is Specific Consent?
The GDPR requires “specific consent”.
- Where one processing activity has multiple purposes, the data controller should request separate consent for each purpose (Recital 32).
- Where multiple processing activities are required to fulfil one purpose, the data controller should make one consent request that covers all processing activities (Recital 32).
Don’t “bundle” consent requests—people should consent to one thing at a time. You should offer people a granular choice around accepting or refusing consent to specific data processing purposes.
What Is Informed Consent?
The GDPR requires “informed consent”. Article 7 of the GDPR states that:
- A consent request must be “clearly distinguishable” from other information.
- A consent request must be provided in an “intelligible and easily accessible form” and use “clear and plain language”.
You should also tell people that they have the right to withdraw consent before you request consent.
Recital 42 of the GDPR adds that for consent to be “informed”, the data subject should be aware of at least:
- The identity of the data controller, and
- The purposes for which the personal data will be processed.
What Is Unambiguous Consent, Given via a ‘Clear Affirmative Action’?
The GDPR requires unambiguous consent. Consent must be given in writing or via a clear affirmative act.
According to Recital 32 of the GDPR:
- Tick boxes and app settings can be valid ways to obtain consent.
- “Silence, pre-ticked boxes, or inactivity” do not indicate valid consent.
Official guidance from EU data regulators states that you can’t assume you have a person’s consent because they have used your app or navigated your website.
What Are the Rules on Withdrawing Consent?
Under the GDPR, people have the absolute right to withdraw consent.
You must inform people of their right to withdraw consent whenever you collect personal data on the basis of consent, and in your privacy notice.
Article 7 of the GDPR provides some rules on withdrawing consent:
- The data subject has the right to withdraw consent at any time.
- The data controller must inform the data subject of their right to withdraw consent before the data subject consents.
- It must be as easy for the data subject to withdraw consent as it was for them to give consent.
Golden Rules for GDPR Consent
We’ve looked at when consent might be appropriate. We’ve considered what the GDPR says about consent.
Now let’s boil this down into some golden rules about when and how to get GDPR consent.
Consent under the GDPR is likely to be appropriate if:
- None of the GDPR’s other legal bases apply.
- You can provide the individual with a genuine choice about the processing.
- You can explain who you are and how you will use the individual’s personal data, using clear and plain language.
- The individual can provide consent via a “clear affirmative action”.
- You are requesting consent for one specific purpose, and you will use the individual’s personal data for that purpose alone.
- You can allow the individual to change their mind without experiencing any detriment.
- The individual can still use your services if they refuse or withdraw consent.
- There is no clear imbalance of power between you and the individual (for example, you are not a public authority or the individual’s employer).
You might also need to get consent under another law, such as the ePrivacy Directive.
Consent is unlikely to be appropriate if you need to process personal data—for example, to comply with the law or to provide your core services.