'Consent' and the GDPR; can you collect and use an individual's data?

If you are in business and operate a website which interacts with registered users, or use client provided data in any way, you will no doubt be aware of the GDPR, the European Union’s ‘General Data Protection Regulation’ that will take effect within the EU (including in the UK) from 25th May 2018.  The GDPR seeks to improve the protection and privacy of an individual’s data within the EU and the export of personal data outside the EU, by placing control for how data is used into the hands of the relevant individual, through rules that require data controllers/collectors to only collect and use such data for clear and specified purposes which the individual has affirmatively consented to.

'Consent’ for use of data is at the heart of the GDPR and is the main area that is preoccupying those of our clients who use individuals' data to send newsletters, updates and other marketing/contact material to their clients, customers and registered website users.  The GDPR consent requirements are:

Consent from the individual is needed to provide and allow the use of his/her personal data (including to receive newsletters, mailshots, email updates etc) and must be a ‘freely given, specific, informed and an unambiguous indication of the individual’s wishes’.  

An individual providing consent should not be a precondition of signing up to a service (even a free online service) unless consent is necessary for that service.  If consent is given as a condition of using the site the risk is that the consent is likely not to be freely given, which conflicts with a core GDPR principle.

The consent must be given by some form of clear affirmative action – or in other words, a positive ‘opt-in’. Consent cannot be inferred from silence, pre-ticked boxes or inactivity.  The GDPR specifically bans pre-ticked opt-in boxes (that are currently common place on many website registration forms).  However, the GDPR Recitals clarify that clear consent could be given (so called ‘affirmative action’) by a user deliberately ticking a box online.

Consent has to be separate and specific for each data processing operation.  A general broad consent to unspecified processing operations will be invalid, as will a ‘catch all’ single consent to various processing operations.

Consent to use a person’s data must be separate from other website terms and conditions.

There should be a simple mechanisum for an individual to withdraw consent once it has been given, at any time, and users must be told that he/she can do this.

The scope of the GDPR is extremely wide as is impacts upon the use of an individual’s data in almost all areas.  Some of the established, routine, online practices that companies use to communicate with clients and contacts using personal data they have provided will become unlawful once the GDPR takes effect, so that any business which collects persona data, has a user database and/or uses such data to promote its services to individuals should check that the necessary consents are in place from May 2018.

If you would like to discuss the GDPR, please contact Andrew Iyer on: +44 207 1007714, or by email to: [email protected].

Back to News


Commercial Lawyers
Arbitration Specialists

Let us know if you think we can help... +44 (0)207 1773371