Under the UK GDPR, consent is one of the six lawful bases for processing personal data. It is not always required, but where an organisation relies on consent, it must be freely given, specific, informed, unambiguous, and easy to withdraw.
Under the UK GDPR, consent is a lawful basis that gives people genuine choice and control over how their personal data is used. Consent is not always required, but where an organisation relies on it, the standard is high: it must be freely given, specific, informed, unambiguous, and capable of being withdrawn easily.
Must be
Freely given, specific, informed and unambiguous
Must involve
Clear affirmative action and genuine choice
Must allow
Easy withdrawal without unfair pressure or detriment
Consent is most appropriate where the individual should have genuine control over whether the processing happens. It is not the default lawful basis for every use of personal data, and it should not be used where people have no real choice.
Consent works best where people can make a genuine decision without pressure, penalty, or losing access to something they reasonably need.
Consent should not be treated as a one-off tick box. Organisations need practical processes for recording, reviewing, and honouring withdrawals.
If consent is not the right basis, another route may be more suitable. See Lawful Basis Under UK GDPR and Legitimate Interests Under UK GDPR.
Valid consent is not just a sentence in a privacy notice. It needs to be a clear, active and informed indication that the person agrees to a specific use of their personal data.
People should have a real choice. Consent is unlikely to be valid if refusal causes unfair disadvantage or if there is a strong imbalance of power.
Consent needs a clear affirmative action. Silence, inactivity, pre-ticked boxes, or vague acceptance are not enough.
Withdrawing consent should be as easy as giving it. Organisations should have a simple process and act on withdrawals promptly.
Consent can feel like the safest lawful basis because it sounds permission-based. In practice, weak consent can create more risk than choosing a more suitable lawful basis.
Consent may be appropriate where people can genuinely choose whether the processing happens, understand the choice clearly, and withdraw later without unfair consequences.
If the processing is needed for a contract, legal duty, public task, vital interests, or a balanced legitimate interest, consent may not be the most accurate basis.
For marketing, organisations often need to consider both UK GDPR and PECR. Consent may be required for some electronic marketing, cookies, or similar technologies even where a different lawful basis is used for related processing. See Direct Marketing and GDPR for the wider overlap.
Consent is context-specific. The same design may be acceptable in one setting and unsuitable in another, depending on the level of choice, the clarity of the request, and the impact on the person.
Consent may be needed for certain email, SMS, or electronic marketing activity, particularly where PECR requires it.
Analytics, advertising, tracking, and similar non-essential cookies often require consent before they are set on a user’s device.
Explicit consent may be relevant for some special category data processing, but organisations should check whether it is genuinely appropriate.
Consent may be suitable where people choose whether to receive optional updates, newsletters, event invitations, or promotional communications.
If consent is invalid, the processing may lack a valid lawful basis. That can affect transparency, records, marketing compliance, cookie compliance, and the organisation’s ability to evidence accountability.
This article is based on ICO guidance on consent under the UK GDPR, together with the UK GDPR provisions that define consent, set the conditions for relying on it, and require clear information for individuals. It also connects to wider duties around lawful basis, transparency, accountability, and situations where consent interacts with PECR.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing lawful basis decisions, consent wording, consent records, withdrawal routes, and marketing or cookie compliance.
