GDPR Consent: What Counts as Valid Consent and How to Get It Right

byAlex Solo11 March 20269 min read

Digital Marketing & Advertising Regulatory Compliance Data & Privacy

Contents

What Is The GDPR Consent Meaning In Practice?
What Counts As Valid Consent Under UK GDPR?
When Should Your Business Use Consent (And When Should You Use A Different Lawful Basis)?
- Consent Is Often Appropriate For
- Consent Is Often Not The Best Fit For
How Do You Get GDPR Consent Right? A Practical Checklist For Small Businesses
Common Consent Mistakes That Can Trip Up Small Businesses
Key Takeaways

If you run a small business, “GDPR consent” can feel like one of those legal phrases that pops up everywhere - on email sign-up forms, cookie banners, marketing funnels, and customer databases.

But what GDPR consent means is more specific than simply “the customer agreed”. Under UK GDPR, consent is only valid if it meets strict conditions - and if it doesn’t, your marketing and data-handling can quickly move from “normal business admin” into “compliance risk”.

In this guide, we’ll break down what consent really means for UK businesses, what counts as valid consent, when you should (and shouldn’t) rely on consent, and the practical steps to get it right from day one.

Under the UK GDPR (the UK version of the General Data Protection Regulation, read alongside the Data Protection Act 2018), “consent” is one of the lawful bases that can allow you to process personal data.

In plain English, the GDPR consent meaning is:

A clear, informed, freely given “yes” from the individual before you use their personal data for a specific purpose.

Consent matters because personal data processing is not “automatic” just because you’re a business. If you’re collecting, storing, using, sharing, or analysing personal data (names, emails, phone numbers, order history, IP addresses, photos, and more), you need a lawful basis.

For many small businesses, consent shows up in areas like:

Email marketing (newsletters, promotions, product launches)
SMS marketing
Cookie banners and tracking tools on your website
Using customer photos/videos in your marketing
Capturing leads through competitions or sign-up forms
Recording calls or capturing customer support information

It’s also important to know what consent is not. Consent isn’t valid if it’s bundled into confusing terms, hidden in small print, or if the person doesn’t genuinely have a choice.

And if you’re using consent as your lawful basis, you also need to be able to prove it later - which is where many businesses get caught out.

Valid consent is defined by a set of conditions that are easy to describe, but sometimes tricky to implement in the real world.

For consent to be valid under UK GDPR, it must be:

1) Freely Given

The person must have a real choice. Consent isn’t “freely given” if someone feels pressured to agree, or if they’ll be penalised for refusing.

Common small business pitfall: making consent a condition of a service when it’s not actually necessary.

If someone has to accept marketing emails just to download a free guide, that’s risky unless the marketing is genuinely part of the deal and clearly explained.
If someone must accept tracking cookies to use the website at all, that can also cause problems if those cookies aren’t strictly necessary.

2) Specific

Consent must cover a specific purpose. If you want to use customer data for multiple purposes, you usually need separate choices.

Example: one tick box for “email me about product updates” and another for “email me about partner offers”. Don’t bundle unrelated purposes into one “agree to everything” option.

3) Informed

People need to understand what they’re agreeing to. That means your wording has to be clear, and you should point people to the key information at the point you collect data (not buried in a long policy nobody can find).

This is where having a proper Privacy Policy becomes more than a box-ticking exercise - it’s part of making consent informed and defensible.

4) Unambiguous (Clear Affirmative Action)

Consent needs a clear opt-in. Silence isn’t consent. Pre-ticked boxes aren’t consent. “By continuing to use this site…” is generally not enough for optional processing activities like marketing or non-essential cookies.

Good examples include:

Unticked tick-boxes the user actively selects
A clear “Accept” button for specific categories (like analytics cookies)
A signed consent form for customer photos or testimonials

5) Easy To Withdraw

The person must be able to change their mind. You need to make it as easy to withdraw consent as it was to give it.

Practical examples:

Every marketing email should include an unsubscribe link that works
If consent was given via an account dashboard, withdrawal should also be possible via that dashboard (or an equally simple method)
If consent was given for photography/filming, the withdrawal process should be clear (while being honest about practical limits once content has already been printed or published)

6) Documented (You Must Be Able To Prove It)

This is the part many small businesses forget. If you rely on consent, you must keep records showing:

Who consented
When they consented
How they consented (what form, what wording, what tick box)
What they were told at the time
Whether they later withdrew consent

Even if you’re not a “big tech company”, you still need a system that can stand up to scrutiny if a customer complains or the ICO investigates.

One of the biggest misunderstandings around GDPR consent is thinking consent is always required to process personal data.

It isn’t.

UK GDPR provides several lawful bases for processing, and consent is only one of them. In many situations, consent is actually not the best option - especially because it can be withdrawn at any time.

Common alternatives include:

Contract: you need the data to deliver what the customer bought (e.g. name/address for delivery)
Legal obligation: you must keep certain records for tax/employment law
Legitimate interests: you have a genuine business reason that isn’t overridden by the person’s rights (this requires careful balancing and transparency)

Direct marketing where opt-in consent is required (and, in practice, this often overlaps with UK e-privacy rules under PECR, such as the “soft opt-in” for existing customers)
Optional cookies and tracking (analytics, advertising cookies) - this is mainly a PECR requirement, supported by a clear Cookie Policy
Using customer images/testimonials in promotional content (especially if it’s not strictly necessary to deliver your service)

Invoicing and fulfilment (this is usually “contract” and/or “legal obligation”)
Employee HR administration (consent in employment is often problematic because of the power imbalance)
Core service delivery where the customer expects the processing as part of the deal

Getting the lawful basis right matters because it affects your privacy wording, your internal processes, and what rights individuals can exercise against you.

If you’re unsure, it’s worth getting advice early - it’s much easier to build a compliant system than to rebuild one after your marketing lists and processes have grown.

Consent compliance doesn’t need to be overcomplicated. The key is building a simple, repeatable process that you can apply across your business - whether you’re collecting data through a website, in person, or via a third-party platform.

Consent requests should be separate from other information and written in plain English.

Good example:

“Yes, email me about product updates and special offers. I can unsubscribe at any time.”

Risky example:

“By signing up you agree to receive communications from us and selected partners.”

If you’re using consent for more than one purpose (e.g. newsletter plus third-party marketing), split it into separate options.

2) Make Opt-In The Default

No pre-ticked boxes, no “opt-out” designs disguised as opt-in. If you want valid consent, the customer should actively choose it.

Your terms and conditions can set the rules of the customer relationship, but consent needs to be distinct and specific.

Think of it this way: your customer shouldn’t have to “agree to marketing” just to buy something, unless the marketing is truly part of what they’re signing up for (and even then, it should be handled carefully).

4) Put The Right Policies In Place

Your consent mechanisms should connect with the documents that explain what you do with personal data. For many small businesses, that typically includes:

A clear Privacy Policy (what you collect, why, how long you keep it, who you share it with, and what rights people have)
A Cookie Policy (what cookies you use and how users can manage them)

If you use suppliers who process personal data on your behalf (like email marketing tools, CRM systems, cloud storage, booking platforms), you’ll also want to consider your contracts and data protection paperwork, such as a Data Processing Agreement where appropriate.

You don’t need enterprise software to prove consent - but you do need something.

A consent log might include:

Customer name/email
Date/time of opt-in
Source (website form, in-store form, event sign-up)
Consent wording used at the time
Any preferences selected
Date/time of unsubscribe (if applicable)

If you ever need to show how you got consent, this is what will save you.

6) Train Your Team (Even If It’s Just Two Of You)

If staff collect data (for example, taking bookings, running giveaways, adding contacts to a mailing list), make sure they know:

When they can add someone to marketing lists (usually only with opt-in consent, and in some cases subject to PECR rules like the “soft opt-in”)
What to say when someone asks “why do you need this?”
How to process an unsubscribe or withdrawal request quickly

This also ties into how your business manages devices and systems that handle personal data. Having internal rules like an Acceptable Use Policy can help set expectations around security, access, and appropriate handling of personal data.

Most consent problems don’t come from bad intentions - they come from rushed set-ups, “we’ve always done it this way”, or copying wording that doesn’t actually meet UK GDPR standards.

Here are some common mistakes to watch for.

Using Pre-Ticked Boxes Or “Opt-Out” Sign-Ups

If the customer has to untick a box to avoid marketing, it’s unlikely to count as valid consent. You want an active opt-in.

Consent should be separate, clear, and not hidden inside long clauses.

Not Being Specific About Marketing Channels

“Marketing” is vague. Be clear if you’ll contact them by email, SMS, phone calls, or post. Some channels also have additional rules under UK e-privacy laws (often referred to as PECR).

Not Making Withdrawal Easy

An unsubscribe link that doesn’t work, or requiring someone to call you to stop marketing, is asking for complaints (and reputational damage).

If you need a customer’s address to deliver a product, you don’t need consent - you need that information to fulfil the contract. Trying to rely on consent for essential processing can create confusion and compliance gaps.

If you can’t show when and how consent was given, it’s hard to defend your position if challenged.

Forgetting That Some Data Is Higher Risk

If you process special category data (like health information), the rules are stricter and you may need an additional condition under UK GDPR. In some cases, that will mean explicit consent. Even if your business is small, certain industries (health, wellbeing, fitness, childcare, recruitment) can end up handling sensitive data quickly.

If you’re building an end-to-end compliance approach (policies, processes, and contracts), a structured support option like a GDPR package can be a practical way to get the foundations right without guessing.

Key Takeaways

For UK businesses, GDPR consent means a clear, informed, freely given and specific opt-in that the customer can withdraw at any time.
Valid consent must be freely given, specific, informed, unambiguous, and supported by an easy way to withdraw.
You should only rely on consent when it genuinely fits - in many cases, contract or legitimate interests may be more appropriate lawful bases.
If you use consent, you need to be able to prove it, which means keeping a record of when and how the person opted in and what you told them at the time.
Clear privacy documents (like a Privacy Policy and Cookie Policy) and internal processes make it much easier to stay compliant as your business grows.
Consent failures often come from small design choices (like pre-ticked boxes or vague wording) - fixing these early is one of the simplest ways to reduce GDPR risk.

If you’d like help getting your consent wording, privacy documents, and GDPR processes right, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call