We have checked that consent is the most appropriate lawful basis for processing.
We have made the request for consent prominent and separate from our terms and conditions.
We ask people to positively opt in.
We don’t use pre-ticked boxes or any other type of default consent.
We use clear, plain language that is easy to understand.
We specify why we want the data and what we’re going to do with it.
We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
We name our organisation and any third party controllers who will be relying on the consent.
We tell individuals they can withdraw their consent.
We ensure that individuals can refuse to consent without detriment.
We avoid making consent a precondition of a service.
If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
