Further Reading: Consent and explicit consent

Consent must be

  • Provided by unambiguous, positive affirmative act
  • Freely given
    • Consent should be unconditional
    • An Individual should be able to refuse to give, or be able to withdraw consent without disadvantage
    • Consent is not freely given where there is an imbalance of power between the parties – for example – in most employment situations
  • Informed
    • Of the information required by Articles 13, 14 and 22(2)(c) should be provided – namely the information in your privacy notice
    • That consent can be withdrawn as easily as it can be given, and without detriment
    • Of the associated risks, if relied upon in the transfer of personal data outside of the EU/EEA
  • Given for a specific purpose
    • One consent for a series of processes will be non-compliant – consent must be granular
    • Processing for a purpose other than that for which consent was given will be non-compliant
  • Written in clear, plain and uncomplicated language
    • the language used must be age appropriate

As an individual must be able to withdraw consent as easily they can give it, consent is the least attractive lawful basis for processing in most business situations

A record of consent should be kept so you can ensure compliance

In the UK a child needs to be 13 years old for consent to be valid when using an Information Society Service

References: Article 4(11) and Article 7 and Recitals 32, 42, 43 of the GDPR
EDPB guidelines on Consent 05/2020
Working Party Article 29 Opinion 15/2011
Articles 9, 49 and 22 as regards explicit consent