In a seashell
Consent is a condition for the use of personal information under PIPA’s subsection 6(1)(a).
Organisations are obliged to provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of their personal information.
Consent means offering individuals real choice and control. Consent should put individuals in charge, build trust and engagement, and enhance your reputation.
In order for an individual to knowingly consent, a very clear and specific statement of consent is needed.
Keep your consent requests separate from other terms and conditions.
Get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Name any overseas third party who will rely on the consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people. Save old versions of privacy notices.
Keep consent under review, and refresh it if anything changes.
It is good practice to avoid making consent to processing a precondition of a service.
Public authorities and employers will need to take extra care to show that consent is freely given.
You should avoid over-reliance on consent.
Asking for consent: checklist
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the information and what we’re going to do with it.
☐ We give separate distinct options to consent separately to different purposes and types of using personal information.
☐ We name our organisation and any overseas third party who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental/guardian-consent measures for younger children) in place.
Recording consent: checklist
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
Managing consent: checklist
☐ We regularly review consents to check that the relationship, the use, and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent.
Why is consent important?
The standard for consent set by PIPA means that organisations may use an individual’s personal information under the condition that the personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented.
Consent is only one condition of use that may be relied upon.
Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
Consent can be given and withdrawn freely.
You need to tell people about their right to withdraw consent, and offer them easy ways to withdraw consent at any time.
Public authorities, employers, and other organisations in a position of power may find it more difficult to show consent that is valid and freely given. For example, if an individual will suffer criminal penalties if they do not provide consent, it is not freely given. The organisation should rely on a different condition of use. See our Privacy in the Workplace Employer Guidance (forthcoming).
You need to review existing consents and your consent mechanisms to check they meet the standard set by PIPA. If they do, there is no need to obtain fresh consent.
Genuine consent should put individuals in control, build trust and engagement, and enhance your reputation.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to legal action or enforcement.
What types of consent are there?
Consent may be explicit or implied.
Explicit, active, or “express” consent requires the individual to act in a way that specifically communicates consent. Some examples of explicit consent include requiring the individual to:
click or tick a checkbox on a web-based or data-entry form;
respond to an automatically generated email;
provide verbal authorisation.
Implied, or passive, consent does not require specific action – there is no checkbox to mark or paper to sign. Instead, there could be a sign at the entrance to a building stating that surveillance cameras are in use. Entering the premises implies the individual gives consent to be recorded.
Another example is a business that includes language in a privacy notice stating that it collects personal information as part of a specific service, process, or programme; for example: “By downloading this program, you consent to the collection of information about you and your activities for the purpose of X.”
For implied consent to be valid, the organisation must have notified the individual about the purposes, and the implication must be reasonable.
Implied consent cannot be relied upon for uses of sensitive personal information.
When is consent appropriate?
Consent is appropriate if and when you can offer people real choice and control over how you use their information and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal information without consent, asking for consent is misleading and inherently unfair.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis, or to meet the principle of fairness.
Public authorities, employers, and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.
What is valid consent?
Consent must be freely given, which means giving people genuine ongoing choice and control over how you use their information.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, easy to understand, and user-friendly.
Consent must specifically cover the organisation’s name, the purposes of the use of personal information and the types of processing activity.
Consent must be expressly confirmed in words rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
How should we obtain, record, and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
the name of your organisation;
the name of any overseas third party who will rely on the consent;
why you want the personal information;
what you will do with it; and
that individuals can withdraw consent at any time.
You must ask people to actively opt in.
Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate options to consent to different purposes and different types of processing.
Keep records to evidence the following aspects of consent:
what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.
Maintain copies of older drafts or versions of privacy notices or consent forms.