GDPR series - #4 - Consent

In part 4 of 5, Ian Inman examines consent, a thorny issue in the General Data Protection Regulation (GDPR)

Published: 13th September 2017

Ian Inman recently joined Cox Automotive UK as Head of Privacy & Data Protection. In this series of blog posts he will give readers an overview of the General Data Protection Regulation (GDPR) and its implications.

The General Data Protection Regulation: Consent

Last week I looked at the principles of data processing and talked briefly about the conditions for processing. This week I discuss one of those conditions in particular: consent.

I want to start by saying this: You should not rely on consent as the basis for processing personal data unless there is no other condition for processing available to you. Sounds controversial, right? It flips the myth of always needing consent on its head, and yet even the ICO implies this in their draft consent guidance.

Of course there are exceptions to this, for example electronic marketing in many cases requires the consent of the individual. In those cases what I said above is still true, because effectively there is no other condition available to you as you must rely on consent.

Consent under the GDPR

Consent is defined under the GDPR as:

‘…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

The definition is fairly similar to the existing definition under the Data Protection Act, however article 7 then introduces more explicit conditions relating to consent. Specifically:

The characteristics of consent

The characteristics of consent are derived from the definition, and are:

Freely Given

This means that the individual must have a genuine choice and it requires consideration of the relationship between you and the individual. Consent cannot be freely given where there is a significant imbalance in that relationship, such that the individual has no option but to consent. It also means individuals should be able to refuse or withdraw consent without detriment.

Specific & Informed

These two characteristics are closely linked and are also tied to the general transparency requirements under principle 1. The GDPR says that for consent to be informed an individual must be aware as a minimum of the identity of the controller and the purposes for processing. It also requires granularity of consent for different purposes. This would cover, in a marketing context, granular consent  to the content of marketing, separate from granular consent to the methods of marketing communication (eg email, telephone).

If you are seeking to rely on consent you will need to bear these things in mind when drafting your privacy notices and determining how that information will be delivered in a way that complies with your obligations. Remember, transparency requires any information and communication about data processing (including your privacy notices and consent requests) to be easily accessible, easy to understand and to use clear and plain language.

Unambiguous indication (by way of a statement or affirmative action)

Consent requires the individual to make a choice by way of a clear affirmative action or statement. The GDPR gives several examples of what may constitute such an action. These include ticking a box, signing a consent form or choosing particular technical settings on a website.

More important is what the GDPR explicitly says is not valid consent: silence, pre-ticked boxes, or inactivity. Why is this important? Because it explicitly prohibits pre-ticked opt in boxes and other similar mechanisms.

This also includes unticked opt-out boxes, another point made in the draft ICO guidance. Not everyone agrees with this, but it is correct in my view because an unticked opt-out box is fundamentally no different to a pre-ticked opt-in box. It assumes the individual is consenting unless they do something to say they are not, and assumed consent has all manner of problems under the GDPR.

Summing up

For consent to be valid under the GDPR all the characteristics referred to above must be satisfied. If they are not then you do not have consent. The issue with both mechanisms described above (pre-ticked opt-in and un-ticked opt-out) is that the individual is not making a ‘clear affirmative action by which they signify consent to the processing of personal data.’ They are not doing anything to give consent in those circumstances. In fact, it is quite the opposite in that consent is assumed to be given unless the individual does something to say no.

Furthermore, in those circumstances how can it ever be unambiguous? You cannot know an individual has consented because they did not do something, you can only assume they have. Assumed consent is, by its very nature, ambiguous and so should not be relied upon.

That is all for now, though I would strongly advise you read the ICO draft consent guidance for more detail. Join me next time for my final blog of this series, when I will discuss the new rights for individuals under the GDPR.

Stay tuned for Ian's next post, or catch up on part 1part 2 and part 3 of this 5-part series.

Our Blog for the latest news, views and market intelligence.


Connected cars will be the more valuable asset in automotive by 2025.

Connected cars will be an essential asset - increasing levels of technology mean that they house more opportunities for data.

Read more
Data 8th March 2018

Cox Automotive run the 3rd in their series of free webinars offering practical advice on GDPR

Delivered by our Head of Privacy and Data Protection, Ian Inman, the 3rd in our series will cover Breach Notification.

Read more
News 1st March 2018

Cox Automotive are running a series of free webinars offering practical advice on GDPR

Watch the first in our series here, and sign up for the next focussing on consent.

Read more
News 15th February 2018

The future is closer than we think - the reality of autonomous cars

Gone are the days where watching self-driving cars in the movies was futuristic fantasy; these are now an imminent reality.

Read more
News 1st February 2018