One easy way to avoid large GDPR fines is to always get permission from your users before using their personal data. This article explains the GDPR consent requirements to help you comply.

Contrary to popular belief, the EU GDPR (General Data Protection Regulation) does not require businesses to obtain consent from people before using their personal information for business purposes. Rather, consent is just one of the six legal bases outlined in Article 6 of the GDPR. Businesses must identify the legal basis for their data processing.

Consent is one of the easiest to satisfy because it allows you to do just about anything with the data — provided you clearly explain what you’re going to do and obtain explicit permission from the data subject. However, as Google recently learned by way of a €50 million fine, you can’t cut corners. French data protection authorities said the company’s version of obtaining consent was neither “informed” nor “unambiguous” and “specific.”

This article will focus on how to satisfy the GDPR requirements for consent as a legal basis.

For more general information about what the GDPR says, read our article, “What is the GDPR?” It provides a conceptual overview of the law. We also have published the full text of the GDPR.

The GDPR requires a legal basis for data processing

“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis,” the GDPR explains in Recital 40. In other words, consent is just one of the legal bases you can use to justify your collection, handling, and/or storage of people’s personal data. Article 6 states five other justifications.

As we explain in our GDPR overview, these are the other legal bases:

  1. Processing is necessary to satisfy a contract to which the data subject is a party.
  2. You need to process the data to comply with a legal obligation.
  3. You need to process the data to save somebody’s life.
  4. Processing is necessary to perform a task in the public interest or to carry out some official function.
  5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

You only need to choose one legal basis for data processing, but once you’ve chosen it you have to stick with it. You cannot change your legal basis later, though you can identify multiple bases. You should conduct a GDPR data protection impact assessment before processing personal data.

GDPR consent definition

If you process someone’s data based on their consent, the GDPR clearly explains the obligations you must meet. Article 4(11) defines consent:

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The GDPR further clarifies the conditions for consent in Article 7:

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Now that you have a definition, let’s unpack some of these concepts.

Consent must be freely given

“Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no. According to Recital 42, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

The one exception is if you need some piece of data from someone to provide them with your service. For example, you may need their credit card information to process a transaction or their mailing address to ship a product.

Recital 43 discusses freely given consent. It explains that you must get separate consent for each data processing operation. So if you want their email address for marketing purposes and their IP address for website analytics purposes, you must give the user an opportunity to confirm or decline each use.

Consent must be specific

“The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.” It should be clear what data processing activities you intend to carry out, granting the subject an opportunity to consent to each activity.

In the email address and IP address example, you can’t explain these uses as part of a single, long paragraph detailing the operations of your marketing team, with a single consent checkbox at the end. Instead, you must explain each data use case separately, giving data subjects  an opportunity to consent to each activity individually.

If you have more than one reason to conduct a data processing activity, you must obtain consent for all those purposes. So if you store phone numbers for both marketing and identity verification purposes, you must obtain consent for each purpose.

Consent must be informed

Informed consent means the data subject knows your identity, what data processing activities you intend to conduct, the purpose of the data processing, and that they can withdraw their consent at any time.

It also means that the request for consent and the explanation of the data processing activities and their purpose are described in plain language (“in an intelligible and easily accessible form, using clear and plain language”). That means no technical jargon or legalese. Anyone accessing your services should be able to understand what you’re asking them to agree to.

The Google case offers an instructive real-world example. The French authorities said the company did not meet the requirements of informed consent:

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations … and therefore of the amount of data processed and combined.

The British Information Commissioner’s Office provides further context: “If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse — for example, the use of double negatives or inconsistent language — will invalidate consent.”

Consent must be unambiguous

That is, there should be no question about whether the data subject has consented. “Silence, pre-ticked boxes or inactivity should not therefore constitute consent,” according to GDPR Recital 32.

Unambiguous consent “could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”

Consent can be revoked

The GDPR does not indicate a shelf life for consent. Theoretically, a person’s consent is indefinite, though there might be situations in which it becomes clear that consent is no longer valid or reasonable, or violates some principle of data processing.

However, a data subject has the right to withdraw consent at any time. Moreover, you must make it easy for them to do so. In general, it should be as easy for them to withdraw consent as it was for you to obtain consent.

The GDPR consent requirements are relatively easy to understand but perhaps more difficult to implement. You may encounter technical hurdles or problems reconciling your business needs with the demands of GDPR compliance. Filling out your data protection impact assessment can help. So can speaking with a GDPR lawyer.
GDPR compliance is an ongoing process. Refer to our GDPR checklist to make sure your organization is above board.