When Would I Need A Privacy Consent Form? (2026 Updated)

byRowan Gardoce31 December 19699 min read

Intellectual Property eCommerce Software & IT Regulatory Compliance Data & Privacy

Contents

What Is A Privacy Consent Form?
- Consent Form Vs Privacy Policy: What's The Difference?
When Do You Actually Need One?
What Should A Good Consent Form Include?
- Make Consent Granular (Not "All Or Nothing")
- Be Honest About Consequences
How Do You Get Consent The Right Way (And Prove It)?
What Other Documents Do You Need Alongside Consent?
Key Takeaways

If you're collecting personal information from customers, employees, followers, or event attendees, you've probably seen the word "consent" pop up a lot.

And it's easy to assume that a privacy consent form is the "safe option" for everything.

But under UK GDPR (and the Data Protection Act 2018), consent is just one possible lawful basis for processing personal data - and it's not always the best one. In fact, using consent in the wrong way can create extra risk, because it gives people a stronger right to withdraw (and you'll need to respect that withdrawal).

So when do you actually need a privacy consent form, and when are you better off relying on another lawful basis (like contract or legitimate interests)? Let's break it down in plain English.

A privacy consent form is a document (or digital statement) where someone clearly agrees to you collecting, using, and sometimes sharing their personal information for specific purposes.

In data protection terms, you're trying to meet the UK GDPR standard of consent being:

Freely given (no pressure, no unfair consequences for saying no)
Specific (separate purposes should be clear and separated)
Informed (they understand who you are, what you'll do, and why)
Unambiguous (a clear opt-in - not silence or pre-ticked boxes)
Easy to withdraw (and you actually honour withdrawals)

A good consent form also helps you prove consent later if there's a complaint, a dispute, or an ICO query.

These get mixed up all the time:

A privacy consent form is where the person actively agrees to certain uses of their data.
A Privacy Policy explains how your business handles personal data overall (what you collect, why, who you share it with, how long you keep it, and the person's rights).

In practice, many businesses use both: your Privacy Policy provides the detail, and your consent form captures the opt-in for particular activities (like marketing, testimonials, or sensitive data).

For example, you might link to your Privacy Policy within your consent form so people can easily access the full information.

When Do You Actually Need One?

You don't need a consent form every time you collect personal data. Often, the right lawful basis is contract (to deliver what the customer asked for) or legal obligation (to comply with a law), or legitimate interests (where your business need is balanced against the person's privacy rights).

That said, there are some common situations where a privacy consent form is either required or strongly recommended.

1) When You're Sending Direct Marketing (Especially By Email/SMS)

If you're marketing to individuals by email or text, you'll usually need consent under the Privacy and Electronic Communications Regulations (PECR) unless the "soft opt-in" applies (which has its own conditions).

Typical examples include:

newsletter sign-ups
SMS promos and discount codes
automated marketing emails
retargeting where consent is required (for example, certain cookie/advertising setups)

Tip: If you're collecting marketing consent, keep it separate from other consents (don't bundle it into one "agree to everything" checkbox).

2) When You're Collecting "Special Category" Data

Special category data includes information about someone's:

health
religion
racial or ethnic origin
biometric data (in some cases)
sexual orientation
political opinions
trade union membership

Processing special category data needs extra care. Consent isn't the only route, but for many small businesses (especially wellness, coaching, communities, and events) explicit consent is often the most practical option.

For instance, if you run events and collect accessibility or medical details, a participant consent form can be a sensible part of your sign-up process (alongside clear privacy information).

3) When You Use Photos Or Videos Of People For Marketing

This is a big one for modern businesses.

If you're filming at an event, taking photos in your studio, capturing UGC-style content for social media, or posting customer testimonials with images, it's smart to get written consent - particularly if:

people are clearly identifiable
the footage is used for marketing (not just internal records)
children appear in the content
the content might be sensitive (for example, health-related services)

Depending on the scenario, a dedicated photo/video consent form may be the cleanest way to document permission and clarify how you'll use the content.

If your content features an individual in a more "modelled" or promotional way (for example, a campaign shoot), you may also need a model release form so you have clear rights to use the person's image for commercial purposes.

4) When You're Recording Calls Or Meetings (And It's Not Obvious)

Recording conversations can raise both privacy and trust issues. Even if recording is lawful in some contexts, you still need to think about transparency and data protection obligations.

Common examples include:

recording sales calls "for training and quality"
recording Zoom consultations
recording internal meetings where participants don't expect it

In many cases, a consent form isn't strictly required if you can rely on another lawful basis - but you should be very careful about how you communicate it and what you do with the recording. This is especially important if recordings are used beyond what someone would reasonably expect.

It's worth reading up on recording conversations so you can align your process with both privacy rules and practical best practice.

5) When There's A Power Imbalance (Be Careful)

Sometimes consent looks convenient, but it's actually risky.

In relationships where the other person may feel they can't say no (like employer/employee, teacher/student, landlord/tenant), consent may not be considered "freely given".

So if you're an employer, for example, you generally shouldn't rely on "consent" as your lawful basis for core HR data processing. You may be better placed relying on contract, legal obligation, or legitimate interests (depending on what you're doing), and using clear policies plus privacy notices.

A privacy consent form should be easy to read, specific, and built around real decisions the person is making - not just a big block of legal text.

As a starting point, it should usually include:

Who you are (your business name and contact details)
What you're collecting (types of personal data)
Why you're collecting it (clear purposes)
How you'll use it (for example, marketing, admin, service delivery)
Who you'll share it with (like platforms, processors, partners - where relevant)
How long you'll keep it (or the criteria you use to decide)
The right to withdraw consent and how to do it
A link to your Privacy Policy for fuller details
A clear opt-in mechanism (signature, tick box, or similar)

If you need consent for multiple things, separate them.

For example, instead of one checkbox that says:

"I consent to the use of my personal data for any purpose."

Use separate options such as:

I agree to receive marketing emails.
I agree to my testimonial being published on your website.
I agree to photos/videos being used on social media.

This reduces complaints and makes your consent more defensible.

Be Honest About Consequences

Consent must be freely given - but you can still explain what happens if someone doesn't consent.

For example:

If someone doesn't consent to marketing, they can still buy your product.
If someone doesn't consent to being filmed, you'll seat them outside the filming area (where practical).
If someone doesn't consent to providing health details, you may not be able to tailor the service safely (depending on your business).

The key is making sure you're not "penalising" people unfairly for refusing consent.

Even a beautifully drafted consent form won't help if you collect consent in a messy way.

In 2026, good consent management is about two things:

genuine transparency, so people understand what they're agreeing to
good record-keeping, so you can demonstrate compliance later

Signed forms (paper or e-sign)
Online checkboxes that are unticked by default
Double opt-in for email marketing (often a smart move)
Layered notices (short summary + link to more detail)

What Records Should You Keep?

If someone later says "I never consented", you'll want to be able to show:

when and how they consented
what they were told at the time (the wording/version of the form)
what options they selected
when they withdrew consent (if they did)

This also ties into broader GDPR housekeeping, including knowing data retention periods for different types of records, and what you can do when someone asks you to delete data.

If you're relying on consent as your lawful basis, withdrawal matters.

When someone withdraws, you should:

stop the processing that relied on consent (for example, stop marketing them)
document the withdrawal and your actions
assess whether you can keep any information under a different lawful basis (for example, invoice records you must keep for tax)

This is where it helps to understand the rules around data deletion, because "withdrawal of consent" and "right to erasure" are related but not identical (and the practical outcome depends on your situation).

A privacy consent form is rarely a standalone solution. Most businesses need a small set of privacy documents and processes that work together.

Here are the most common ones to consider.

A Privacy Policy (Almost Always)

If you collect personal data, you generally need to tell people what you do with it in a clear, accessible way. That's where your Privacy Policy comes in.

Even if you do collect consent, you still need transparency. In other words: consent doesn't replace a privacy policy - it usually sits alongside it.

If your website uses cookies (especially analytics or advertising cookies), you may need a cookie banner/consent tool and a cookie policy.

This is one of those areas where getting the implementation right matters, because it's not just what you say - it's what the site actually does.

Photo/Video Permissions That Match The Real World

If your business uses images and footage, you'll want to use the right document for the situation.

For events, community content, and general filming: a photo/video consent form is often appropriate.
For brand shoots and promotional images featuring a person in a more "model" capacity: a model release form is often the better fit.

This helps avoid awkward disputes later, like a person asking you to pull a campaign image after you've spent money promoting it.

Internal Processes (So Your Team Doesn't Accidentally Break Your Rules)

It's very common for privacy issues to happen through simple day-to-day mistakes, like:

a staff member exporting a customer list and using it for an unrelated promo
someone posting a client photo without checking consent
a team member recording a call "just in case"

It can feel like overkill when you're small, but a basic process (and training) can save you a lot of stress later.

Contracts With Suppliers Who Process Personal Data

If you use platforms that handle personal data on your behalf (email marketing tools, CRMs, booking systems), you may need appropriate GDPR terms in place - often in the form of a data processing agreement.

This is separate to consent. Even if you have consent, you still need compliant supplier arrangements.

Key Takeaways

A privacy consent form is useful when you genuinely need consent as your lawful basis - but consent isn't always the best (or safest) option under UK GDPR.
You'll often need consent for direct marketing (especially email/SMS), and you may need explicit consent for certain special category data scenarios.
If you're using photos or videos of identifiable people for marketing, getting written permission (and using the right form) can prevent disputes later.
Valid consent must be freely given, specific, informed, unambiguous, and easy to withdraw - and you should keep records to prove it.
A consent form usually works best alongside other privacy essentials like a Privacy Policy, retention practices, and sensible internal processes.
Using generic templates can backfire - privacy wording should match what your business actually does, and be tailored to your risk areas.

If you'd like help putting the right privacy consent form (and supporting privacy documents) in place for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Rowan GardoceMarketing Coordinator

Rowan is the Marketing Coordinator a Sprintlaw. She is currently in her third year of Law and Psychology at Macquarie University, and is passionate about helping businesses by breaking communication and accessibility barriers through NewLaw.

In her first year at university, Rowan jumped into the legal space by working as a paralegal on a cyber security project. However, she wanted to combine her passion for content creation with the demand for legal knowledge. So, she started writing for The Brief, a law school publication at Macquarie University. She produced a number of articles discussing a range of topics, from the role of Afterpay in fintech to protecting junior lawyers from wage theft.

Rowan realised that she enjoyed copywriting and wanted to see how this would work in various fields. Marketing was an industry where she could combine her study of psychology with her copywriting experience, so she interned with a fintech startup in the insurance space. She produced copy and visual content to enhance their online presence and inform customers of their options when faced with insurance issues.

At this point, Rowan found that the root of many problems was the lack of access to important information. Without the right knowledge, customers were subject to exploitation and complex rules. Eventually, Rowan found an interest in making advice accessible through various creative mediums and helping businesses be proactive.

Rowan then moved to a creative agency which helped small businesses build and enhance their brand. In between producing copy and drafting blueprints, she realised that the key to helping businesses is to make things as simple, cost-efficient and accessible as possible, so they can make informed decisions with minimal losses.

So, she decided she wanted to be part of an industry that makes legals simple, as they should be. Now, Rowan coordinates content for Sprintlaw and is helping more small businesses each day.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call