GDPR Consent Must Be Given: What It Means In The UK

“Consent under GDPR” gets talked about a lot - but what does it actually mean for your day‑to‑day business activities?

Whether you run an online shop, a service business or a growing SaaS, you’ll likely handle personal data. In many situations, GDPR consent must be given before you can lawfully process certain data (think: marketing emails, non‑essential cookies or special category data). Getting this wrong can lead to complaints, regulator attention, and unnecessary reputational damage.

Don’t stress - with a clear plan and the right documents, you can build compliant, user‑friendly consent flows and get on with growing your business. This guide breaks down when you should rely on consent, what “valid consent” looks like under UK GDPR, and how to implement it in practice.

What Does It Mean That GDPR Consent Must Be Given?

Under the UK GDPR and the Data Protection Act 2018, consent is one of several lawful bases you can rely on to process personal data. If you choose consent, it must meet a high bar - it has to be:

• Freely given - there’s genuine choice and no pressure or detriment for saying no.
• Specific and granular - separate opt‑ins for different purposes (e.g. newsletters vs. partner promotions).
• Informed - people are told what you’ll do with their data, who you’ll share it with, and how to withdraw consent.
• Unambiguous - a clear affirmative action, like ticking an unchecked box or clicking “Accept”.
• Documented - you keep records of who consented, when, how, and what they were told at the time.

Pre‑ticked boxes, silence or inactivity aren’t valid. Bundling consent into your general terms or making it a condition of a service that doesn’t strictly require it will also fall short.

Consent isn’t always the best or only option. The UK GDPR allows other lawful bases, like “contract” (you need the data to deliver a service), “legal obligation” (you’re legally required to process), “legitimate interests” (after a balancing test), and others. If consent is hard to get right - or not truly optional for the person - another lawful basis may be more appropriate.

When Should Your Business Rely On Consent?

You won’t always need consent, but there are common scenarios where it’s the safest or legally required route:

• Direct marketing by email or SMS (B2C): In the UK, the Privacy and Electronic Communications Regulations (PECR) usually require prior consent for unsolicited electronic marketing to individuals, unless you can use the limited “soft opt‑in” for existing customers.
• Non‑essential cookies and similar technologies: Analytics, advertising and personalisation cookies generally require prior consent before they are set on a user’s device.
• Special category data: If you’re processing data about health, biometrics, or other sensitive categories, explicit consent is one possible condition (though other conditions may apply depending on context).
• Location tracking and profiling: If processing is not strictly necessary for your service, consent is often expected, especially for advertising and analytics.
• Sharing data with third parties for their own marketing: You’ll typically need specific, separate consent for this.

When might you avoid consent?

• If the processing is genuinely necessary to perform a contract (e.g. taking an address to deliver an order), “contract” can be a better fit.
• If you have a clear business need and minimal privacy impact, “legitimate interests” may work - but you’ll need to carry out and document a balancing test.
• For employee data, consent is usually inappropriate due to the imbalance of power; rely instead on contract, legal obligation, or legitimate interests where applicable.

The key is to choose the lawful basis that best reflects reality. Don’t force consent where the person doesn’t have a genuine choice - it will be invalid and create risk.

How To Get Valid Consent (And Keep Proof)

Your consent request should be easy to understand, easy to refuse, and easy to withdraw. Here’s how to implement it well.

1) Make It Crystal Clear

Explain what data you’ll collect, why, and for how long - ideally right next to the checkbox or button. Link to your Privacy Policy for more detail, but ensure the immediate consent wording stands on its own. Your Privacy Policy should be up to date, easy to find, and consistent with what your consent language says.

2) Use Granular, Opt‑In Choices

Offer separate opt‑ins for different activities. For example:

• “Email newsletters and product updates” - tick box
• “SMS offers” - tick box
• “Partner promotions” - tick box

Boxes should be unchecked by default. Avoid “all‑or‑nothing” bundles - that’s not freely given consent.

3) Don’t Make Consent A Condition

If a consent isn’t strictly necessary to provide your service, don’t lock access behind it. For example, you can’t require “accept marketing emails” as a condition to complete a purchase.

4) Make Withdrawal As Easy As Giving

People must be able to withdraw consent at any time, without penalty. Include clear instructions and easy routes (e.g. “unsubscribe” links, in‑app privacy settings, or email instructions), and action withdrawals promptly in your systems.

5) Record It Properly

Keep an audit trail showing:

• Who gave consent (identity or pseudonymous identifier)
• When and how they consented (e.g., signup form, cookie banner)
• What they were told (copy or version of the wording presented)
• What they consented to (which boxes were ticked; consent categories)

Your records should also capture if/when consent was withdrawn and when you stopped the relevant processing.

6) Review And Refresh

Consent can degrade over time, especially where your practices change or where a person has been inactive. Build a process to refresh consent periodically or when you expand the scope. If you change purposes, you’ll need to obtain fresh consent.

Marketing, Cookies And Consent Under PECR

In the UK, PECR sits alongside UK GDPR and sets special rules for electronic marketing and cookies. This is where many small businesses trip up.

Email And SMS Marketing

As a rule, you need prior consent for unsolicited marketing to individuals by email or SMS. PECR does allow the “soft opt‑in” for your own similar products or services if all of the following are true:

• You obtained the person’s contact details during a previous sale (or sale negotiations).
• You are marketing your own similar products/services.
• You gave them a clear chance to opt out at the time of data collection and in every subsequent message.

Make sure your marketing flows reflect this clearly. If you plan to rely on soft opt‑in, double‑check that your signup journey and message templates include a prominent opt‑out. For help designing compliant campaigns, it’s worth reading about the soft opt‑in in detail.

Cookie Consent

Non‑essential cookies (analytics, advertising, social media) require prior consent. Practically, this means:

• Show a clear, user‑friendly banner on first visit.
• Block non‑essential cookies by default until the person clicks “Accept”.
• Offer equivalent “Reject” and “Manage settings” options without making “Reject” harder to find or use.
• Maintain logs of consent choices and respect them on subsequent visits.

Pair your banner with a transparent Cookie Policy that lists the cookies you use, their purposes, and durations. If you’re updating your design, this practical guide to cookie banners that comply and why offering “Reject All” buttons matters is a good starting point.

Marketing Calls And Recordings

If your marketing includes phone calls or call recording, ensure you have a lawful basis and proper notice. If you plan to record calls for quality or training, tell people upfront and consider your data minimisation and retention policies. This overview of GDPR and business calls covers the key points.

Handling Special Scenarios: Employees, Children And International

Not all consent scenarios are equal. These contexts need extra care.

Employees And Job Candidates

In employment settings, consent is rarely valid due to the inherent power imbalance. Don’t rely on consent for standard HR processing. Use other lawful bases such as “contract”, “legal obligation” (e.g. payroll, tax) or “legitimate interests” (e.g. device security). Where special category data is involved, make sure another condition applies (e.g. employment law obligations) or take advice before proceeding.

Children’s Data

For online services directed at children, the UK age of consent for information society services is 13. Below 13, you’ll need parental responsibility holders to consent. Your interfaces should be age‑appropriate, with clear language and robust age‑verification as needed.

International Tools And Cloud Services

If your business uses popular tools (cloud storage, collaboration platforms, AI productivity tools), map your data flows, check where data is stored, and understand each provider’s role (processor vs controller). Put a proper Data Processing Agreement in place with processors, and ensure transfer safeguards exist if data leaves the UK. If you share personal data with third‑party controllers, consider a Data Sharing Agreement to clarify responsibilities.

Practical Documents And Processes To Put In Place

Strong paperwork and clear processes make it much easier to run consent‑based operations confidently.

Essential Policies And Notices

• Privacy Policy: State your lawful bases, purposes, and rights in plain English. Keep it consistent with any consent language people see in forms or pop‑ups. Link it prominently during signup and in emails. Consider a professionally drafted Privacy Policy to keep things watertight.
• Cookie Policy: List each cookie, purpose, and duration, and explain how choices can be changed later. Pair with a compliant banner and preference centre using your Cookie Policy.
• Consent Language Library: Maintain approved, plain‑English wording for each consent scenario (newsletter, SMS, partner promotions, cookies, in‑app analytics) so your team stays consistent.

Controller–Processor Contracts

Whenever a supplier processes personal data on your behalf (email platform, CRM, analytics, contact centre), you must have the right contractual terms. A robust Data Processing Agreement sets clear instructions, security standards and sub‑processor controls. Where you share data with other controllers for their own purposes, a Data Sharing Agreement helps clarify roles and accountability.

Cookie Banner And Preference Centre

Choose a Consent Management Platform (CMP) that can block non‑essential scripts prior to consent, log consent events, and allow users to revisit their choices easily. Make sure your banner design offers genuine choice and is consistent with PECR.

Operational Playbooks

• Consent Capture And Audit: Define where and how consent is captured, how long you retain logs, and who reviews wording before changes go live.
• Withdrawal Handling: Standard operating procedures for unsubscribes, cookie preference changes and deletion requests.
• Data Subject Rights: Be ready to handle access, deletion and other requests. Map owners and timelines and train staff. It helps to understand DSAR deadlines so you don’t miss statutory timeframes.

Governance And Training

Nominate a privacy lead, define escalation paths for tricky consent scenarios, and run periodic training so marketing, product and customer support teams handle consent consistently. Keep a change log for consent wording, cookie configurations and campaign templates.

Common Mistakes To Avoid

These pitfalls are easy to make - and just as easy to fix once you know them.

• Hiding The Ball: Consent notices that are vague, legalistic or buried in small print aren’t “informed”. Use clear, direct language and put the key facts front and centre.
• Pre‑Ticked Boxes: They don’t count. Always require an active opt‑in.
• Making “Reject” Harder: Cookie banners that dark‑pattern users into “Accept” (faded “reject”, multiple extra clicks) won’t fly with regulators.
• Bundling Purposes: One blanket consent for multiple different uses isn’t granular. Split them out.
• No Withdrawal Route: If people can’t easily change their mind, your consent is unlikely to be valid.
• No Records: If you can’t prove who consented, to what, and when, you can’t rely on consent when challenged.
• Relying On Consent In Employment: It’s rarely valid due to imbalance. Choose another lawful basis.

Step‑By‑Step: Building A Compliant Consent Flow

Step 1: Map Your Data And Purposes

List what data you collect, where from, where it goes, and why you use it. Identify which purposes truly require consent (marketing, non‑essential cookies, partner promotions, sensitive data, location tracking).

Step 2: Pick The Right Lawful Basis

For each purpose, choose the most appropriate lawful basis and document why. Don’t default to consent if users don’t have a real choice.

Step 3: Draft Clear Wording

Create simple, purpose‑specific consent language. Align it with your Privacy Policy, cookie disclosures, and internal records.

Step 4: Implement UX And Tech Controls

Configure your cookie banner to block scripts until consent, add unticked checkboxes for marketing opt‑ins, and build an easy “unsubscribe/manage preferences” route. Ensure your systems update preferences in real time.

Step 5: Build Proof And Governance

Set up logging for consent events, withdrawal tracking, and periodic reviews. Put in place a Data Processing Agreement with relevant suppliers who handle consent records or marketing data.

Step 6: Train Your Team

Marketing, product and support teams should know when consent is required, how to spot invalid patterns, and how to handle withdrawals or complaints promptly.

Do I Need Legal Documents Or Professional Help?

Most small businesses benefit from a short privacy “toolkit” so everything is consistent and defensible. This typically includes:

• A tailored Privacy Policy and website notices that match your actual practices.
• A Cookie Policy and compliant banner configuration.
• A Data Processing Agreement for each processor handling personal data on your behalf.
• Where relevant, a Data Sharing Agreement for controller‑to‑controller sharing (e.g. with partners).
• Internal guidance on consent wording, preference management and DSAR handling, with clear timelines aligned to DSAR deadlines.

If you’re short on time, a bundled approach like a GDPR Package can be a quick way to get the essentials in place with expert support, so you’re protected from day one.

Frequently Asked Questions About Consent Under GDPR

Can I Use Legitimate Interests Instead Of Consent For Analytics?

For cookies and similar technologies, PECR generally requires consent unless the cookie is strictly necessary for the service requested by the user. Pure analytics cookies are usually non‑essential, so consent is the safer route. Server‑side, aggregated analytics without cookies may fall outside PECR, but assess your implementation carefully.

Do I Need Consent For B2B Marketing?

PECR still applies to email addresses that identify a person (e.g. firstname.lastname@company.com). Some B2B outreach can rely on “legitimate interests” where it is truly targeted and respectful, but unsolicited electronic marketing generally still requires consent unless soft opt‑in applies. Always include an easy opt‑out.

How Long Does Consent Last?

There’s no fixed expiry, but consent becomes stale if people are inactive for long periods or if your purposes change. Review and refresh consent periodically, and obtain fresh consent when you introduce new uses.

What About “Cookie Walls”?

Making access conditional on accepting non‑essential cookies usually undermines “freely given” consent. Where you offer a genuine equivalent without tracking (or provide an alternative), the analysis may differ - take advice before implementing paywalls or cookie walls.

Key Takeaways

• When you choose consent as your lawful basis, it must be freely given, specific, informed and unambiguous - no pre‑ticked boxes or bundled opt‑ins.
• Use consent for electronic marketing to individuals (unless a narrow soft opt‑in applies), non‑essential cookies, certain profiling, and some special category data uses.
• Build user‑friendly consent flows: clear wording at the point of choice, granular options, easy withdrawal routes, and robust logs proving who consented to what and when.
• PECR governs email/SMS marketing and cookies - pair a compliant banner with a transparent Cookie Policy and avoid dark patterns.
• Don’t rely on consent for employees; use contract, legal obligation or legitimate interests where appropriate and document your reasoning.
• Back up your processes with the right paperwork - a tailored Privacy Policy, Data Processing Agreement with processors, and, if needed, a Data Sharing Agreement.
• If this feels overwhelming, getting a streamlined GDPR Package in place can save time and reduce risk as you scale.

If you’d like help designing compliant consent flows, drafting policies, or choosing the right lawful basis, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.