GDPR consent must be actively given by the data subject

GDPR consent, including how individuals actively give consent and what it covers.


What is GDPR consent and why is it needed?

Companies must ask people’s permission to process their data. Under GDPR this is called ‘consent’.

Consent can be withdrawn by the user at any point. The company must make it simple and accessible to withdraw consent.

GDPR Article 4 defines consent as:

“any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

GDPR consent must be specifically given by the individual

In other words, the user must specifically take action to give consent. And the information about what they are consenting to must be offered clearly and in easily understandable terms. The information relating to consent must be written in a way that the average person can understand exactly what they are consenting to.

Use of the data cannot go beyond what is specified in this consent agreement.

Users must also take a specific action to signal their consent. This could be ticking a website box or choosing am app setting. Consent by silence or omission of information is not viable for GDPR reasons.

GDPR consent and lawfulness of processing

To understand what consent means for a business is not always immediately obvious. It is one of the more ambiguous and therefore contentious elements of GDPR. Before we go into more specifics here, it’s important to understand GDPR Article 6, which is about lawfulness of processing.

GDPR Article 6 concerns the lawfulness or otherwise of collecting and processing user data. To be lawful under GDPR, data collection must abide by six legal stipulations. Businesses must determine whether any data collection or analysis they do falls under the appropriate legal grounds, which are:

  1. User consent.
  2. Legitimate interest.
  3. Contractual necessity.
  4. Vital interest of the user.
  5. Legal obligation.
  6. Public interest.

If the data collection does not come under one of these categories, it is not lawful under GDPR and can lead to large financial penalties.

GDPR consent – the lawful definition

This is laid out in Article 4, as described above. But what exactly does it mean for the user?

Personal/user data must be:

  • Freely given – users must be given a clear choice to consent and not coerced.
  • Specific – consent must relate to specific actions relating to the data rather than for any purpose the business wants it. For example, if the data is for a newsletter subscription, it must say exactly that.
  • Informed – the user must fully understand why the data is being collected and what it will be used for before they give consent.
  • Clear – users must understand the scope of the data collection and what it will be used for.

Consent requirements under GDPR

This is what companies need to do to meet the GDPR stipulations over consent:

  1. Make consent opt in – it must be affirmative action. Pre-ticked or opt out boxes are not sufficient.
  2. Document all consent – companies must keep a record of every users’ consent, how they consented, what they consented to and when.
  3. Make it simple to withdraw consent – clearly define how users can withdraw consent at any time.
  4. Keep consent separate – don’t bundle consent as a precondition to get a service or complete a transaction. Consent must be free of every other action.
  5. Separate consent – users must be able to give consent to every different data processing activity by the company

GDPR special categories consent

GDPR Article 9 says that data controllers who are processing user data from special categories of personal data , must first acquire explicit consent. But what is explicit consent?

Explicit consent must be acquired in the form of a written statement. The company must clearly write out exactly what the data will be used for.

Companies should use consent as the lawful basis for data processing if the other legal bases don’t apply, if they are processing special categories (sensitive data), if they want to give users a legitimate choice, if they want to build user engagement, if they send marketing collateral with newsletters and third party offers.

Where should the consent request go?

Consent information must be easily identifiable by the user. It should be presented separately from any terms and conditions.

Consent request must be made before any user data is collected and processed.

Consent must be asked for at every separate data collection point. For example, if the user has already given their email for a downloadable ebook, they haven’t consented to other marketing materials.

They must be given a separate opportunity to sign up for other offers.

Information that must be included in the consent request includes:

  1. Who is processing the data
  2. Why they are processing the data
  3. What they will do with the data

The user must also be given clear information about withdrawal of consent.