The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Explicit consent requires a very clear and specific statement of consent.
Keep your consent requests separate from other terms and conditions.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Name any third party controllers who will rely on the consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
Keep consent under review, and refresh it if anything changes.
Avoid making consent to processing a precondition of a service.
Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.