Introduction
This checklist is intended to provide guidance to in-house counsel and private practitioners about obtaining and managing consent under the European Union’s General Data Protection Regulation (EU GDPR) and to assist them when advising internal and external clients on these issues.
The EU GDPR requires that an organisation’s processing of personal data comes within one of six lawful bases (or reasons) for that processing to be lawful. One lawful basis that an organisation may rely on is that the data subject has consented to the processing for a specific purpose. An organisation must meet several requirements to properly rely on consent as a lawful basis.
This checklist addresses the following topics:
- Basic elements of valid consent
- Additional requirements for valid consent
- Recording and managing consent
This checklist focuses on the form and management of valid consent, and it assumes that consent has already been determined to be an appropriate lawful basis for the processing. There are several factors that influence the appropriateness of relying on consent so please ensure you have reviewed Checklist: Lawful processing of personal data under the GDPR before using this checklist. See also the explanatory notes at the end of this checklist for further information.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions
Step 1 – Basic elements of valid consent
All of the elements in the table below must be satisfied whenever you are seeking to rely on consent (regardless of who you are seeking consent from, what you are seeking consent for, and the context in which the processing activity is taking place).
| No. | Element |
|---|---|
| 1.1 | Clear and concise – present your request for consent to the data subject in a clear and concise way |
| 1.2 | Distinct – clearly distinguish your request for consent from other matters presented to the data subject |
| 1.3 | Specific and granular – ensure that your request for consent relates to a specific processing activity and the data subject has preference control |
| 1.4 | Informed – include all necessary information in your request for consent to inform the data subject about what they are consenting to |
| 1.5 | Affirmative and unambiguous – ensure that your request for consent requires clear affirmative action and is unambiguous |
| 1.6 | Freely given – ensure that the data subject is freely providing consent at their own discretion, without pressure, conditionality or fear of detriment |
| 1.7 | Capacity – ensure that the data subject has legal capacity to provide consent |
Step 2 – Additional requirements for valid consent
The table below sets out additional requirements that you may need to comply with if you are seeking to obtain consent from a data subject in certain circumstances.
| No. | Circumstances | Additional requirement |
|---|---|---|
| 2.1 | Explicit consent – you need to obtain explicit consent for specific processing activities (eg, processing special category data) | You ensure that consent is explicit and not inferred from an action by the data subject |
| 2.2 | Children’s consent – you need to obtain consent for processing related to information society services and the data subject may be under the applicable age of digital consent. | You verify the age of the data subject, obtain parental consent for children in accordance with applicable member state age of digital consent requirements and verify that the person giving consent has parental responsibility |
| 2.3 | Multiple controllers – you need to obtain consent (or rely on consent) where multiple controllers will rely on the same consent | You identify all controllers in the consent request, or if you are relying on consent obtained by another controller, you ensure that you are identified in their request |
| 2.4 | Provided on behalf of a data subject – you need to obtain consent from an individual on the data subject’s behalf | You verify the authority of the third-party individual and you ensure that you comply with the elements of valid consent in relation to the data subject |
| 2.5 | Power imbalance – you are in a position of power over the data subject you are seeking consent from (eg, you are their employer or a public authority) | You take extra steps to make it clear that consent is entirely optional and there is no risk of adverse consequences (and you first ensure that consent is appropriate) |
Step 3 – Recording and managing consent
The table below sets out requirements relating to recording and managing consent once you have obtained it. Comply with these requirements whenever you are relying on consent as a lawful basis for processing.
| No. | Requirement |
| 3.1 | Maintaining records – ensure that you maintain verifiable records of consent |
| 3.2 | Managing withdrawals – ensure that you provide an easy and accessible mechanism to withdraw consent and you promptly action withdrawal requests |
| 3.3 | Refreshing consent – refresh consent at appropriate intervals |
| 3.4 | Changes to processing – obtain new consent for any changes in the processing, even if a new purpose is compatible with the original purpose |
Explanatory notes
General notes
Legal framework
This checklist covers the requirements under:
- the EU GDPR; and
- European Data Protection Board (EDPB) Guidelines 05/2020 on consent under Regulation 2016/679.
Article 6, EU GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful. One lawful basis that an organisation may rely on is the data subject’s consent, as set out in article 6(a) of the GDPR.
The requirements for valid consent are generally set out in the following:
- article 4(11), EU GDPR – defines consent;
- article 7, EU GDPR – sets out conditions for consent;
- article 8, EU GDPR – sets out additional conditions for children’s consent;
- recital 32, EU GDPR – expands on the conditions for consent; and
- recital 43, EU GDPR – expands on the concept of freely given consent.
Appropriateness of relying on consent
As raised in the introduction, this checklist focuses on the form and management of valid consent, and assumes that consent has already been determined to be an appropriate lawful basis for the processing. There are several factors that influence the appropriateness of relying on consent so please ensure you have reviewed Checklist: Lawful processing of personal data under the GDPR before using this checklist.
Note that there is some overlap between the exercises for determining the appropriateness of consent and complying with the requirements for the form and management of consent (eg, not relying on consent where it would be requested as a precondition to a service, and the requirement that consent must be freely given). Areas of overlap are flagged in this checklist.
What else do organisations have to do to ensure that consent-based processing is compliant?
Obtaining valid consent does not negate or diminish your obligations to comply with other provisions of the EU GDPR, and it does not provide you with carte blanche to process the personal data however you like. For example, you must still comply with the purpose limitation and data minimisation principles in article 5 of the EU GDPR. Also consider if there are other applicable laws or industry-specific rules that you need to comply with.
Consent in other industries
Consent under the EU GDPR is different to the consent that other industries require, for example, in healthcare, scientific research or publicity releases. Even if you are required to obtain consent from an individual under other legal, ethical or procedural rules, this does not mean that consent will be the most appropriate lawful basis to rely on under the EU GDPR for personal data processing purposes, or that you will have automatically met EU GDPR requirements for valid consent. See further Checklist: Lawful processing of personal data under the GDPR.
Notes on specific requirements
Step 1 – Basic elements of valid consent
1.1 Clear and concise – present your request for consent to the data subject in a clear and concise way
Put your request for consent in an intelligible and easily accessible form, using clear and plain language. Avoid using long sentences and overly technical or legal language. Be consistent with how you present your consent request if you seek consent from the same type of data subject for different matters. It is important to strike the right balance between ensuring your request is clear and accessible, and ensuring your request is sufficiently specific and informed (see step 1.3 and 1.4 below).
1.2 Distinct – clearly distinguish your request for consent from other matters presented to the data subject
Your request for consent must be prominent and distinguished from other matters you wish to communicate to the data subject, for example, consent cannot be hidden within your terms and conditions. Ideally, request consent immediately prior to collecting relevant personal data to ensure the data subject understands exactly what they are being asked to consent to (ie, via a just-in-time request).
Consider the potential disruption caused to data subjects when presenting them with just-in-time consent requests and weigh it against the potential privacy risk to them. For example, if a processing activity carries minimal risk and is well understood by data subjects, it may be possible to justify a slightly less prominent approach. However, the burden will be on your organisation to demonstrate that consent was sufficiently distinct.
1.3 Specific and granular – ensure that your request for consent relates to a specific processing activity and the data subject has preference control
Your request for consent must relate to a specific processing activity that you wish to carry out for a specific purpose. It is not possible to seek a blanket consent from data subjects to process their personal data for overly broad or undefined purposes.
Additionally, your request for consent must be granular. This means that if your request includes multiple processing activities and purposes, you need to give the data subject the freedom to consent to some activities and not others. It is not considered good practice to only permit data subjects to consent on an all-or-nothing basis, unless the activities are clearly inter-dependent and you consider it appropriate to bundle them together.
There is some flexibility on the specificity requirements if you are seeking consent to process personal data for scientific research purposes and it is not possible to precisely set out the specific purposes of your research in advance. In these circumstances, you are permitted to identify the general areas of your research, but you should still seek to provide the data subject with granular options to consent to some areas and not others.
1.4 Informed – include all necessary information in your request for consent to inform the data subject about what they are consenting to
Make sure your request for consent is appropriately informed. At a minimum, you need to clearly provide the following information to the data subject at the time of requesting their consent (although you can provide it in a layered format):
- the identity of your organisation (see also step 2.3 with respect to additional controllers);
- the type of personal data you wish to obtain;
- the processing activities you will carry out;
- the purposes for which you seek to process their personal data;
- the existence of the data subject’s right to withdraw consent and instructions for how to do so;
- information about any automated decision-making (if relevant); and
- information about any international data transfer risks (if relevant).
It is important to note that this requirement is separate from and in addition to your obligation to provide transparent information under articles 13 and 14 of the EU GDPR. However, you should also include a link to your general privacy policy for further information about your general personal data processing practices.
1.5 Affirmative and unambiguous – ensure that your request for consent requires clear affirmative action and is unambiguous
The consent must be an unambiguous indication of the data subject’s wishes, marked by a clear affirmative statement or action from the data subject. Consent is not valid if it is obtained using pre-ticked boxes, silence, inactivity or any other default method that assumes consent on the part of the data subject. It must be obvious that the data subject has sought to deliberately provide their consent.
This requirement leaves room for implied consent through clear affirmative action from the data subject. In other words, it is not always necessary for the data subject to use the exact words ‘I consent’ if they indicate their consent by volunteering optional information for a specific and obvious purpose, for example, sending an email or completing a survey. Note, implied consent is not available for circumstances where explicit consent is being sought – see step 2.1.
Similar to the requirement for requests for consent to be distinct, consider the potential disruption caused to data subjects by requesting affirmative action from them, and weigh it against the potential privacy risk to them. However, always ensure that the consent is unambiguous – the burden will be on your organisation to demonstrate this.
1.6 Freely given – ensure that the data subject is freely providing consent at their own discretion, without pressure, conditionality or fear of detriment
Ensure that data subjects have genuine choice and control over their decision to provide consent, or not. The requirement for consent to be freely given is tied to the concepts of power imbalance, conditionality and detriment.
If there is a clear power imbalance between you and the data subject, it is usually presumed that the data subject feels compelled to provide their consent and accordingly, such consent will not be valid. This concept is discussed further at step 2.5, as well as in Checklist: Lawful processing of personal data under the GDPR.
Consent will not be considered to be freely given if the data subject’s consent is a precondition to receiving services and they will be denied the services if they do not provide it. In these circumstances, performance of contract is likely to be the more appropriate lawful basis for processing personal data. This concept is discussed further in Checklist: Lawful processing of personal data under the GDPR.
If the data subject’s refusal to provide consent would result in a detriment to the data subject, consent will not usually be considered freely given. However, it is important to distinguish detriment from the unavailability of certain incentives to the data subject if they do not provide consent. For example, not being able to enter a contest is unlikely to amount to detriment. It is most important to consider whether the data subject would be unfairly penalised if they do not provide consent.
1.7 Capacity – ensure that the data subject has legal capacity to provide consent
Generally, you can assume that adults have the capacity to consent to personal data processing. However, if you have reason to believe that data subjects may lack an understanding of the consequences of what they are consenting to, then take steps to verify their capacity to consent. If a data subject lacks the capacity to consent, you may obtain consent from a third party with the legal right to make decisions on the data subject’s behalf. See also step 2.2 with respect to children’s consent.
Step 2 – Additional requirements for valid consent
2.1 Explicit consent – you need to obtain explicit consent for specific processing activities (eg, processing special category data)
In order to conduct certain processing activities – such as processing special category data (see further How-to guide: Understanding key data protection definitions), carrying out automated decision-making or relying on a derogation – you may need to rely on explicit consent. This means that you must take extra steps to ensure that consent is provided via an express statement. The key difference between basic consent and explicit consent is that you cannot infer explicit consent from a clear affirmative action, even if the data subject’s agreement seems obvious. This is because explicit consent is reserved for situations involving a heightened risk to the data subject.
If the data subject has indicated they wish to consent through their actions, you should confirm their consent via a separate express statement following the initial action (ie, a two-stage consent approach). An express statement may be provided verbally, but you will usually be able to more effectively demonstrate that you have taken the appropriate steps if the consent is provided in writing.
Note that the requirement for consent to be freely given can become complicated when you are seeking to obtain explicit consent. As set out in step 1.6, if the data subject’s consent is a precondition to receiving services, it will likely be more appropriate to rely on performance of contract as your lawful basis. However, if you are seeking to process special category data, there is no equivalent performance of contract lawful basis under article 9 of the EU GDPR. In these circumstances, there may be some room to rely on a combination of performance of contract under article 6 of the EU GDPR and explicit consent under article 9 of the EU GDPR for processing special category data where no other appropriate lawful bases are available.
2.2 Children’s consent – you need to obtain consent for processing related to information society services and the data subject may be under the applicable age of digital consent
In accordance with article 8, EU GDPR, EU member states are required to establish an age of ‘digital consent', a minimum age a user must be before a social media or internet company can collect, process and store their data – with discretion being given to EU member states to require that parental consent apply for children aged from 13 to 16. For example:
- parental consent for children under the age of 13 is required in Belgium, Denmark, Estonia, Finland, Latvia, Malta and Sweden;
- parental consent for children under the age of 14 is required in Austria, Bulgaria, Cyprus, Italy, Lithuania and Spain;
- parental consent for children under the age of 15 is required in the Czech Republic, France, Greece and Slovenia; and
- parental consent for children under the age of 16 is required in Croatia, Germany, Hungary, Ireland, Luxembourg, the Netherlands, Poland, Romania and Slovakia.
If you offer information society services (this includes most online services) directly to a child and you wish to obtain consent for processing in relation to such services, you must obtain parental consent for children under the applicable age of digital consent. In EU member states, you also should obtain parental consent for children aged from 13 to 16. This means that you must implement measures to verify the age of the data subject and you must also make reasonable efforts to verify that the person providing parental consent has parental responsibility for the child.
What is reasonable in terms of verifying both age and parental responsibility depends on the nature and risk of the processing activities. For example, if the processing activity is very low risk, it may be sufficient to ask the data subject to verify their age via a checkbox. Reasonableness also depends on the technology that is available to carry out such verification measures. It is therefore important to monitor available technologies and ensure that the verification measures you use are consistent with industry best practices.
Parental consent will not be invalidated once the child becomes older than the prescribed age of digital consent; however, it may be best practice to refresh children’s consent more regularly in case the child wishes to withdraw it or modify their preferences once they reach the age of digital consent. See also step 3.3 on refreshing consent.
2.3 Multiple controllers – you need to obtain consent (or rely on consent) where multiple controllers will rely on the same consent
If you are seeking to obtain consent in circumstances where other controllers (whether they are independent or joint controllers) will also rely on the consent, you must include the names of the applicable controllers in your request for consent. The same rule applies in reverse: if you process personal data as a controller in circumstances where the personal data was obtained by another controller based on consent, you must ensure that the other controller has identified you in their request for consent.
For clarity, the same rule does not apply to processors that will process the personal data based on a contract with you. However, it is important that you still provide the details of all recipients of the personal data (whether they are controllers or processors) and all third-party sources of personal data in your general privacy policy, as required by articles 13 and 14 of the EU GDPR.
2.4 Provided on behalf of a data subject – you need to obtain consent from an individual on the data subject’s behalf
Separate to the issue of capacity to consent, it is possible for an individual to provide consent on behalf of a data subject, for example, if an individual signs their colleague up to receive certain email alerts. However, you must take steps to verify that the third-party individual has the authority to provide the consent. You must also still be able to comply with the other elements of valid consent in relation to the data subject, which can be challenging if you do not have a direct relationship. Proxy consent is therefore generally not advisable unless you are confident that these requirements can be met, for example, by using a two-stage consent approach to confirm the data subject’s consent.
2.5 Power imbalance – you are in a position of power over the data subject you are seeking consent from (eg, you are their employer or a public authority)
If you are in a position of power over the data subject, consent will usually not be considered freely given (see step 1.6) and will not be valid. Power imbalances are particularly associated with relationships between public authorities and citizens, and between employers and employees. However, it may be possible to rely on consent for narrow- and low-risk processing activities in exceptional circumstances, provided you are able to clearly demonstrate that consent was freely given.
In these circumstances you must take extra steps to draft and present your consent request to make it explicit that the data subject is under no pressure to provide the consent and they will suffer no adverse consequences for failing to do so. Even if you do not intend to apply pressure or subject the data subject to detriment for failing to provide consent, it is important to consider free choice from the perspective of the data subject.
Step 3 – Recording and managing consent
3.1 Maintaining records – ensure that you maintain verifiable records of consent
Once you have obtained valid consent, you must properly record the details of the consent. Maintaining sufficient records of consent is essential to your accountability obligations and the requirement for demonstrable compliance. Records also feed into the ongoing maintenance requirements under steps 3.2 and 3.3. Include the following in your records:
- the identity of the data subject;
- the time of consent;
- the form of consent;
- what information was provided;
- if verbal consent was given, the relevant script; and
- details of any withdrawal or modification of consent.
It is important to strike a balance between recording sufficient information and not being over-inclusive and storing more personal data than is necessary. Maintain records only for as long as the consent-based processing continues, unless a legal obligation or other exception applies. Additionally, you may need to retain records of consent withdrawals for suppression list purposes (ie, to make sure that those who do not want their data to be used for direct marketing are not contacted in this manner).
3.2 Managing withdrawals – ensure that you provide an easy and accessible mechanism to withdraw consent and you promptly action withdrawal requests
Data subjects have the right to withdraw their consent at their own discretion and upon their own initiative at any point after providing it. Accordingly, you must provide a free, user-friendly and accessible mechanism to enable them to withdraw consent and you must action requests promptly. It must be as easy to withdraw consent as it was to provide it, using the same method by which the data subject provided it in the first place. Consider providing both anytime opt-out mechanisms (eg, a form on your website) and communication-based opt-out mechanisms (eg, an unsubscribe link in your emails).
The withdrawal of consent does not affect the lawfulness of the processing up to that point; however, all further processing based on the consent must cease. You are not permitted to switch to a different lawful basis at this point as this would invalidate the appropriateness and validity of consent in the first place. Continued processing solely for retention purposes may be permitted if you are relying on a separate lawful basis that has been communicated to the data subject.
3.3 Refreshing consent – refresh consent at appropriate intervals
Consent does not have a defined lifespan and the ongoing validity of consent will depend on the circumstances. When determining the ongoing validity of consent, you should consider the data subject’s expectations, the frequency of your contact and how disruptive additional consent requests may be. A lifespan of two years is generally recommended as a baseline; however, a shorter or longer period will be appropriate in some circumstances. Refreshing consent regularly can also help to establish trust.
3.4 Changes to processing – obtain new consent for any changes in the processing, even if a new purpose is compatible with the original purpose
If you intend to change how or why you process personal data in a way that exceeds the original scope of the consent, you must obtain new consent or rely on an alternative lawful basis for the new processing. This rule also applies if you intend to process the personal data for a new purpose, even if the new purpose is compatible with the original purpose.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.