UK ICO draft guidelines on GDPR consent

At the beginning of March, the UK Information Commissioner’s Office (ICO) released the first of its topic-specific guidance documents on the General Data Protection Regulation (GDPR). The first such guidance document covers consent.

The guidance is currently published in draft form, with the ICO looking to gain feedback from public consultation until 31 March.

Consent and opt-in mechanisms
The GDPR’s consent requirements give individuals “genuine choice and ongoing control” over how organisations use their personal data, the ICO says. This means explicit consent, which requires clear affirmative action – i.e. a deliberate action to opt in, even if this is not necessarily expressed as an opt-in box. The ICO lists other examples of opt-in mechanisms, including:

  • Signing a consent statement on a paper form
  • Clicking an opt-in button or link online
  • Selecting from equally prominent yes/no options
  • Choosing technical settings or preference dashboard settings
  • Responding to an email requesting consent
  • Answering yes to a clear oral consent request
  • Volunteering optional information for a specific purpose (such as optional fields in a form)
  • Dropping a business card into a box

This list is not exhaustive, but the point is that whatever method is used must constitute an “unambiguous indication by clear affirmative action”. Pre-ticked boxes are invalid, as is the reliance on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.

Other lawful grounds for processing data
The ICO acknowledges that there are times when seeking consent is either not appropriate or unreasonably difficult. Getting consent is not always necessary, and it should only be sought when no other lawful basis applies. There are five such lawful grounds, which the ICO outlines:

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement under law.
  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s), for example in a medical emergency.
  • A public task: for example, to complete official functions or tasks in the public interest (this will typically cover public authorities, such as government departments, schools and other educational institutions, hospitals, and the police).
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by harm to the individual’s rights and interests.

The ICO urges organisations to remember that even if they are not asking for consent, they will still need to provide clear and comprehensive information about how the personal data is used.


Our GDPR Foundation and Practitioner training courses offer a structured learning path to equip data protection and information security professionals, as well as individuals who lack data protection expertise and experience, with the specialist knowledge and skills needed to deliver GDPR compliance, fulfil the role of data protection officer, and achieve a qualification in data protection.