GDPR – Guidance on consumer consent

A few weeks ago the ICO was very clear about how it defined permissions around profiling, data matching and data appending at the Fundraising Compliance conference in Manchester. In short, it finds how these practices are typically used ‘unfair’ and therefore in contravention of the DPA. In a similar vein it has now published a guidance note on consumer consent in advance of GDPR and is asking for feedback from the direct marketing community.

Again the ICO has made its opinion very clear about what constitutes consent under GDPR’s Article 4(11), which states:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The guidance paper lists the implications for consumer consent as follows:

Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.

Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).

Granular: give granular options to consent separately to different types of processing wherever appropriate. This includes permission for profiling.

Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR. This means that personal data can only be shared with explicitly named third parties.

Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.

The ICO wishes feedback to be submitted by 31st March which can be done so via its website here: or interested parties can contact the DMA which is compiling a response from the direct marketing community after being ‘concerned’ by some of the stipulations. 

GDPR consent guidance | ICO

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.