Consent to Data Processing
Consent is one of the six lawful bases for processing under GDPR[1].
GDPR consent must be[2]:
Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
Granular: give granular options to consent separately to different types of processing wherever appropriate.
Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
Requests for Consent
Where to place the request
Crucially, the request for consent must be separate from any terms and conditions or contracts.
The ICO[3] recommends tailoring consent requests by developing user-friendly ‘layered information’ [4] and ‘just-in-time consents’ [5].
Minimum content
The ICO recommends that, as a minimum, a consent request includes:
the name of your organisation
why you want the data (the purposes of the processing);
what you will do with the data (the processing activities); and
the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough;
that people can withdraw their consent at any time and it is good practice to tell them how to withdraw consent.
Are opt-in (tick) boxes mandatory?
No. In the templates below we use opt-in (tick) boxes but this is not the only acceptable way of expressing consent. Consent must be given by a clear affirmative act. The data subject must take deliberate action to opt in, but not necessarily by ticking an opt-in box. They could for example, sign a consent statement or give oral confirmation or even make a binary choice presented with equal prominence or switch technical settings away from the default.
Time limits
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Templates
We provide the following templates that you may still need to modify to suit the circumstances.
Example 1 is basic and focuses on the situation where the business itself is processing and there is no third party/outside UK/EU processing.
Example 2 allows for third party/outside EU processing.
Example 3 is the same as Example 2 but allows for very granular (i.e. multiple) consents to each section.
Example 4 provides for explicit consent in respect of sensitive data (and can be used to consent to other things such as automated decision-making).
Example 5 provides for explicit consent using a signed form (as opposed to tick-box) with emphasis on the data subject’s right to choose not to consent.
Example 1
This example mirrors the ICO requirements above except that it does not cater for processing for third parties or transmitting outside the UK and EU (for this see Examples 2 & 3).
Note that you may need to repeat “purpose / activity” sections (and have additional consent boxes) if there is more than one processing operation. This is because of the requirement to give granular options for consent to independent processing operations.
We [Name Of Organisation] need to ask your permission before we can use your personal data.
what personal data do we ask for? [Specify Personal Data]
why do we want your personal data? [Specify Purpose]
what do we do with your personal data? [Specify Activity]
can you withdraw your permission? Yes At Any Time By Telling Us At [Insert Link]
Please tick here if you consent to us using your personal data in this way
•
You may withdraw your consent at any time by notifying us at [Insert Link]
Example 2
This example caters for processing using third parties and transmitting outside the UK and EU.
You may need to repeat the “purpose / activity” sections (and have additional consent boxes) if there is more than one processing operation.
We [Name Of Organisation] need to ask your permission before we can use your personal data.
what personal data do we ask for? [Specify Personal Data]
why do we want your personal data? [Specify Purpose]
what do we do with your personal data? [Specific Activity]
who do we want to share your personal data with [Name Third Party]
why do we want to share your personal data? [Specify Purpose Of Sharing]
why do we want to transmit your personal data out of the UK and EU? [Specify Details And Purpose]
can you withdraw your permission? Yes At Any Time By Telling Us At [Insert Link]
Please tick here if you consent to us using your personal data in this way
•
You may withdraw your consent at any time by notifying us at [Insert Link]
Example 3
This is the same as Example 2 but for situations where you consider that an even more granular approach might be appropriate and consent is required to be given to each section.
Again you may need to repeat the “reason / purpose” section (and have additional consent boxes) if there is more than one processing operation.
We [Name Of Organisation] need to ask your permission before we can use your personal data. Tick to indicate Consent
what personal data do we ask for? [Specify Personal Data] •
why do we want your personal data? [Specify Purpose] •
what do we do with your personal data? [Specify Activity] •
who do we want to share your personal data with [Name Third Party] •
why do we want to share your personal data? [Specify Purpose Of Sharing] •
why do we want to transmit your personal data out of the UK and EU? [Specify Details And Purpose] •
You may withdraw any consent at any time by notifying us at [Insert Link]
Example 4 Explicit Consent
If you want to process special category (sensitive) personal data, ‘explicit consent’ is one option[6] for legitimising the use of special category data.
Explicit consent is not defined in the GDPR, but is not likely to be very different from the usual high standard of consent.
Explicit consent can also legitimise:
automated decision-making (including profiling), or
overseas transfers by private-sector organisations in the absence of adequate safeguards.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
Clear affirmative action is not explicit consent, neither is implied consent (i.e. inferred from someone’s actions) however obvious it might be that they consent.
The ICO provides the following simple example as acceptable “explicit” consent.
I consent to receive emails about your products and special offers.
If the individual ticks the box, they will have explicitly consented to the processing
•
The statement must specifically refer to the element of the processing that requires explicit consent.
For example, the statement should specify the nature of the special category data, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer.
The ‘explicit’ element of any consent should also be separate from any other consents you are seeking.
Example 5 Explicit Consent Request Form
Part A: We are requesting your explicit consent for the processing of your personal information for the reasons and in the way specified below:
We are requesting your consent to process the following information relating to you personally:
For the following reason and / or purpose:
Details of any third parties with whom we shall share your information, and reasons for doing so are listed below:
Details of how and whether your information will be transmitted out of the UK and EU are listed below:
Part B: Your Explicit Consent
If you consent to our processing of your information in the way and for the purpose specified in this form, then you should complete this Part B using the box below:
I do explicitly consent to my personal information being processed in accordance the details provided in Part A of this form:
Name:
[Insert Name]
Signed:
Dated:
NB1: You are not obliged to consent to this request. If you do not consent, you should notify the person who sent you this form.
NB2: If you do consent, you should return this form, with Part B completed, to the person who sent you this form.
Part C: Withdrawing your Explicit Consent
If you provide consent above, you may withdraw it at any time by completing this Part C and returning it, or otherwise notifying us in writing, to [Name Or Position]
I hereby withdraw my consent to the processing of my personal information described below:
Please provide details of the consent that you are withdrawing; or indicate “I withdraw my consent given in part B of this form” (if using a copy of the same form).
Name:
[Insert Name]
Signed:
Dated:
E-Privacy and Marketing
For completeness we note that you are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.
These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR), but there is a proposal for a new updated ePrivacy Regulation to come into force at the same time as the GDPR.
Opt-In Wording For Consent To Direct Marketing By Electronic Means (Email or SMS)
Please tick here if you would like us to contact you by electronic means (email or SMS) with information about goods and services which we feel may be of interest to you.
[1]
Current definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
GDPR definition:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal
The key elements – freely given, specific, informed and an indication signifying agreement – remain however GDPR adds that the indication must be unambiguous and involve clear affirmative action i.e. individuals must now make clear granular choices.
[2] Businesses are NOT required to automatically refresh all existing consents but they MUST check that existing consents meet the new GDPR standard).
[3] ICO GDPR consent guidance: Start date: 2 March 2017 End date: 31 March 2017
[4] Layered information: consists of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. This can, in turn, contain links to further material that explains specific issues.
[5] Just in time consents: these work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed
[6] But it is not the only way. Article 9(2) GDPR lists nine other conditions and there is some scope for UK legislation to add more.