You can only use personal data if you do so “lawfully” under GDPR. One way to do this is by getting the person’s consent.
Because someone can withdraw their consent at any time, however, we recommend you rely on one of the other lawful bases instead – contract or legitimate interest.
How to get consent
Consent can be on paper, online or verbal. But it must be clear:
- that the person has freely consented
- what they have consented to
Asking for consent
You should keep consent requests specific and separate from other terms and conditions. The request must be easy to understand and include:
- the name of your organisation
- the name of any third-party controllers who will rely on the consent
- why you want the data
- what you’ll do with it
- how to withdraw consent at any time
You must not use pre-ticked boxes.
You should keep a record of consents. It should include:
- when and how you got consent
- what you were told at the time of consent
How long consent lasts
Consent has no time limit. How long it lasts will depend on the context. You’ll need to review and refresh consent by considering the scope of the original consent and the person’s expectations.
Parental consent doesn’t expire when a child reaches 13 (the age they can consent themselves). Here, you may need to review the consent more regularly.
Someone must be able to withdraw consent as easily as they gave it. For example, if they gave consent through an app, they should be able to use the same app to withdraw their consent.
A data controller must make the withdrawal:
- free of charge
- with the same level of customer service
When consent is withdrawn, you must:
Sensitive personal data
For sensitive (special category) personal data you’ll also need to make sure you meet one of the requirements in Article 9 of the GDPR.
Children and consent
Children must be at least 13 to consent. You’ll need to verify their age. Children can consent using online services. Younger children will need parental consent.
The language must be clear and plain for children.
When a person lacks the capacity to consent, someone else will need legal authority to consent for them, for example under a Power of Attorney.
Marketing and consent
The new consent rules mean you must:
- make opt-ins clear – you cannot use pre-ticked boxes
- keep consent separate from other terms and conditions
- not make consent a condition of signing up to a service
- keep a clear record of all consents
- tell your clients how they can withdraw consent at any time
- have clear consent options, specific to the data use
You’ll need to ask for consent again or choose a different legal basis if your existing permissions don’t meet these new standards or aren’t well documented.
The EU is creating a new e-privacy regulation to sit alongside GDPR. This has not been agreed yet, so for now you should continue to follow Privacy and Electronic Communications Regulations (PECR) alongside GDPR.
You can read more about consent as a lawful basis on the ICO website.
> Next section: Legitimate interests