The 5 Requirements for Consent under the GDPR

Consent is one of the six legal bases for processing personal data. However, businesses that choose to rely on this legal basis must meet the following requirements for consent set out by the GDPR.

What are the requirements for consent under the GDPR?

According to the EU’s GDPR, consent is only valid when the following requirements are met.

1. The consent is freely given.

Under the EU’s GDPR, the individual to whom the personal data belongs, aka the data subject, must give their consent freely. This means that the data controller can’t force the data subject to consent to the processing.

Here’s how businesses can ensure that consent is freely given.

Don’t pre-check consent boxes

The data subject must actively check any consent boxes on your website.

Don’t force customers to consent to unnecessary data processing

Providing a service or product should not be conditioned upon consent for any data processing that is unnecessary for providing the said product or service.

Let’s take the example of an online retailer that doesn’t allow customers to complete their purchases unless they agree to receive marketing emails. In this case, sending the customers marketing emails is unnecessary for the sale. Therefore, the consent is invalid.

The proper way to do this would be to offer the customers a choice, so they can also complete their purchase without consenting to receive marketing emails.

Ask for separate consent for different types of processing

Under the GDPR, businesses have to ask for separate consent for each processing purpose.

Let’s say you want to use a client’s email address to send them newsletters and their phone number to call and get feedback from them. Under the GDPR, you must collect separate consent for each purpose.

Make it easy for customers to withdraw consent and don’t penalize them for it

Businesses need to provide customers with an easy way to withdraw consent. Furthermore, they are not allowed to punish the individuals who decide to opt out.

Don’t bundle up consent with other terms and conditions

When consent is bundled up as a part of other terms and conditions, the data subject has no genuine choice. This means that the consent is not freely given.

2. The consent is informed.

Under the EU’s GDPR, businesses must inform the data subjects about the identity of the data controller and the purpose of the personal data processing. Otherwise, the consent is invalid as it is not informed.

Although not a legal requirement, it is good practice to also let customers know how they can withdraw their consent in the consent request.

3. The consent is specific.

When explaining to the data subjects what they are agreeing to, businesses must use clear and plain language. Furthermore, the consent request must be intelligible and in an easily accessible form.

If the consent request is ambiguous or hard to understand, the consent will be invalid. Therefore, companies should avoid using double negatives, long and complex sentences, and pretentious words when formulating a consent request.

Also, remember that consent only applies for the initially specified purpose. If you want to process the data for a different purpose, you will need to collect the data subject’s consent again.

4. The consent is unambiguous.

For consent to be valid, there must be no doubt that the data subject agreed to the personal data processing. This means that the individual should actively take action to confirm their consent (e.g., signing a declaration of consent, changing the default settings, ticking a consent box).

Since assumed or implied consent is invalid, businesses should never rely on inactivity, silence, default settings, or general terms and conditions.

5. The consent is verifiable.

Businesses that rely on consent must be able to demonstrate that the data subject agreed to the processing. A good idea is to maintain audit trails, so you can provide proof of consent in case of an inspection.

Consent evidence should be kept for as long as you process the personal data based on the consent. Such evidence should include:

  • The name of the person, their email, or other identifiers
  • A copy of the dated document or any other record that has a timestamp
  • The text of the consent request at the time that the consent was given
  • In the case of written consent, businesses should keep a copy of the document or data collection form. For online consent, they should keep records of the data submitted and timestamps so they can link it to the correct version of the data collection form.

Who is responsible for obtaining and documenting consent?

Under the EU’s GDPR, the data controller (the company that establishes the processing purpose and how the data is processed) is responsible for obtaining the person’s consent.

Conclusion

Businesses that choose to rely on consent must ensure that specific requirements are met. Consent must be freely given, informed, specific, unambiguous, and verifiable. This means that individuals must have a genuine choice to provide their consent without coercion or bundling it with other terms, be clearly informed about the purpose and the identity of the data controller, and take an active role in confirming their consent. Moreover, businesses are responsible for keeping records of consent to demonstrate compliance. By adhering to these guidelines, organizations can ensure that they process personal data lawfully under the GDPR.

Explore more resources

Security and trust: How Penneo ensures compliance and protects data

Security and trust: How we ensure compliance and protect data 

READ MORE

Building trust in the age of AI: Reflections on competitiveness, democracy, and digital transformation

Building trust in the age of AI: Reflections on competitiveness, democracy, and digital transformation

READ MORE

Kickstart your company's digital transformation

Kickstart your company’s digital transformation

READ MORE