Consent – what it means and who can give it

Explicit consent is key to managing data under GDPR and there is a flurry of activity underway at present with organisations looking to build on and validate the consents they believe are already in place. There’s a really wide range of approaches in play with some great examples such as the video produced by Easyjet.

A bit of humour and engagement of the individual like this will be a huge factor in the success of the exercises especially as individuals are bombarded with requests from all the organisations they deal with. You are likely to get a much better response rate if you can target towards things the customer wants and needs and through communications they are using/ expecting rather than specific permission communications. Build it into conversations and exchanges and make sure you have sensible benefit propositions for the things you want to agree.

Consent must be:

Actively given. Through clear affirmative action: A positive opt-in not a failure to opt out, silence, pre-ticked boxes or inactivity.

Separate from other terms and conditions so that it is understood to be different from the rest of the transaction or interaction

Simple to withdraw the principle being that it must be just as easy to withdraw consent as to grant it.

For specific purposes. The data collected and how it will be processed must be explained in clear and simple terms.

Channel specific: Ideally consent should be given for each communication channel to allow the individual to exercise choice and flexibility.

In addition, organisations need to be able to evidence how the consent was given and preferably what channels are agreed. Few consent capture processes before now have provided this level of detail.

Whilst it may be necessary to request renewed permissions from your customer base don’t make the mistake of misusing the data you already have. There have been a couple of high profile mistakes by companies approaching those who have already opted out in order to renew permissions. The mere approach has been seen to be a marketing function and the companies involved have been fined for the misuse.

Consent for children – proposed to be those under the age of 13 in the UK - is another key point. You’ll need checks on the age of the customer to achieve consent - and special processes to ensure that you really get the consent of the parent or guardian. You’ll need to think also about what happens when that person passes the age of 13.


The levels of consent required under GDPR will be especially challenging in the areas of Big Data where you may have no current view on what purpose the data will be put to in future.

© Cantata Limited. All rights reserved.