DPO and GDPR services

When Should You Use Consent?

Do you always need to ask for consent?

The short answer is no. Consent won’t always be the most appropriate or easiest.

Consent is only one of the lawful basis for processing, there are six lawful basis for processing. If you need to do anything with personal data, then you will need to use one of the lawful basis to process the data.

Each of the lawful basis is equal, no one being better than the other.

How does the GDPR define Consent?

The GDPR says that consent must be ‘freely given, specific and unambiguous’ and must be given by a ‘clear affirmative action’ by the individual.

This means that as an organisation you must be transparent and tell individuals in a clear, concise and easy to understand manner what it is they are consenting to and allow them to take the action of giving you, their consent.

Consent must be clear and unbundled

Meaning it should not be bundled in with any other terms and conditions.

When is it correct to use consent?

If you can offer choice and give the individual control, then consent is the correct lawful basis to use.

EG if you are offering to send out a newsletter or updates on your services.

Marketing and Consent

Under eprivacy laws for certain types of marketing you will need to ask for consent. This includes online tracking, installing apps, using certain cookies.

It should ne noted that there are times when the ‘soft opt-in’ can be used in marketing, this means you will not need to ask for consent and could rely on another lawful basis – legitimate interest, however this means there will be a need for a Legitimate Interest Assessment.

The ICO’s guide to PECR explains it here.

Cookies and Consent

Not quite are yummy as you might think!

Unless cookies are of the ‘strictly necessary’ type then you will need consent to place them on an individual’s device.

The ICO gives guidance on cookies

Special Category Data (SCD)

This is where explicit consent comes in – if you are processing special category data.

What is special category data? It is data related to health, race, ethnicity, political views, religious beliefs, trade union membership, sexual orientation, data relating to genetics, and biometric data.

When you are processing this SCD the GDPR Article 9 requires you to have a lawful basis and a specific condition.

When no other lawful basis applies use consent

If the individual would not expect you to use their data in such a way, then you must ask for consent or if you are going to use the data in a way that is different to the purpose that you collected it for.

When is consent not appropriate?

If you would still process the personal data on a different lawful basis even if consent were refused or withdrawn, then seeking consent from the individual is misleading and unfair. It presents the individual with a false choice and only the illusion of control. You must identify the most appropriate lawful basis from the start.

If you require the individual to consent as a ‘condition of service’ then it is unlikely to be the correct lawful basis, this will result in an imbalance of power. In this instance you would be most likely to use ‘necessity for the performance of a contract’

Consent Checklist – consent must be:

InformedYou must inform the individuals what they are consenting to – this should be made clear in your Privacy Notice. There should be a clear link to your Privacy Notice.
GranularConsent should not be linked to T&Cs, it should not be in the small print. Be specific about what you are asking consent for.
EvidenceKeep records of your consent separately showing when consent was collected.
Easy to withdrawIt must be easy for an individual to withdraw their consent.
Positive ActionThe individual must take a positive action to show they give consent ie. the individual should tick a box. No pre ticked boxes, you cannot assume that no action is a positive action.

If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives. See our article on Lawful Basis for Processing.

Scroll to Top