Implicit Consent Under GDPR: What UK Businesses Need to Know

If you run a small business, it’s completely normal to assume that “if someone didn’t object, they must be OK with it”. In day-to-day life, that’s often how things work.

But when it comes to personal data, the UK GDPR (and the Data Protection Act 2018) set a higher bar. Getting consent wrong can put your marketing, customer processes, staff monitoring, and even your website setup at risk.

This guide breaks down what implicit consent really means in practice, where it can (and can’t) be relied on, and what you should do instead to protect your business from day one.

This article is general information only and isn’t legal advice. If you want advice on your specific setup, it’s worth getting tailored support.

What Is Implicit Consent (And Why Do Businesses Rely On It)?

“Implicit consent” is the idea that someone has “agreed” because of their behaviour or the surrounding circumstances, rather than because they clearly said “yes”.

In business, it usually shows up as assumptions like:

• “They gave us their email, so we can send marketing.”
• “They’re using our website, so they must accept tracking.”
• “They entered our shop, so CCTV recording is fine.”
• “They didn’t complain about call recordings, so consent is implied.”

The problem is that under the UK GDPR, consent has a specific legal meaning. And “implied” or “assumed” consent often isn’t consent at all.

Before you decide whether you can rely on consent (implicit or otherwise), it helps to remember one key point: consent is only one of the lawful bases for processing personal data. In many cases, consent is not the best (or safest) basis for a small business.

What Counts As Valid Consent Under UK GDPR?

Consent under UK GDPR must be:

• Freely given (no pressure, and no unfair “take it or leave it” approach where it isn’t necessary)
• Specific (separate consents for separate purposes, where appropriate)
• Informed (people understand what they’re agreeing to)
• Unambiguous (a clear positive action)
• Easy to withdraw (and you must actually honour withdrawals)

That “unambiguous” requirement is where implicit consent often falls apart.

Is Implicit Consent Ever Allowed Under UK GDPR?

In strict terms, the UK GDPR doesn’t describe “implicit consent” as a standalone category you can tick and move on.

What businesses often mean by implicit consent is one of these:

• Consent inferred from a clear affirmative action (for example, ticking a box, clicking “I agree”, choosing settings)
• Consent assumed from silence or inactivity (for example, pre-ticked boxes, “by continuing you agree”, no opt-out provided)

The first can be valid consent (even if it doesn’t involve words like “I consent”). The second usually isn’t valid consent.

When Behaviour Can Amount To Consent

Consent can sometimes be demonstrated through actions if the action clearly signals agreement and the person was properly informed.

Examples that are more likely to work (depending on the details):

• A customer selects “Yes, email me offers” during checkout (unticked by default).
• A user clicks “Accept analytics cookies” on a cookie banner with a real choice.
• A participant signs up via a form that clearly explains what communications they’ll receive and how often.

In other words, the “implicit” part can only go so far. The safer framing is: consent must be clear, and your evidence of it must stand up if challenged.

Why Small Businesses Get Caught Out

Many small businesses copy what they’ve seen others do online, or they use tools that have consent wording baked in. The risk is that you end up with:

• vague consent wording
• bundled consent (“agree to everything”) when you needed separate options
• no records showing when and how consent was captured
• no easy way to withdraw consent

This is exactly why it’s worth setting up your data protection approach properly (including the right website documents like a Privacy Policy and Cookie Policy) before you scale your marketing or tech stack.

When Implicit Consent Is Not Enough (Common Risk Areas)

If you take one practical lesson from this article, it’s this: silence, inactivity, or “they didn’t complain” is not valid consent.

Here are situations where businesses frequently (and accidentally) rely on implicit consent, but shouldn’t.

1. Marketing Emails And Texts

For electronic marketing (emails, texts, many direct marketing messages), you’ll usually need to think about UK GDPR and also the Privacy and Electronic Communications Regulations (PECR).

A classic mistake is assuming:

• “They bought from us once, so we can keep emailing promotions.”
• “They enquired via our contact form, so they want newsletters.”

Sometimes you might be able to rely on a different legal route (like the “soft opt-in” for existing customers, if the conditions are met), but that’s not the same as implicit consent. If you’re using consent as your basis, it needs to be captured properly.

2. Cookies And Tracking

Cookie compliance is one of the biggest “implicit consent” traps because so many websites still use banners that effectively say: “By continuing to use this website, you agree…”.

Under PECR (and in turn UK GDPR), you generally need consent for storing or accessing information on a user’s device unless the cookie is strictly necessary (for example, essential shopping basket or security cookies). In practice, that means marketing cookies will usually need opt-in consent, and analytics cookies often do too unless they’re set up in a way that falls within a recognised exemption.

Having a properly drafted Cookie Policy helps, but the policy alone doesn’t “create” consent. Your cookie banner and settings need to match your legal position.

3. Recording Calls Or Meetings

It can be tempting to think consent is implied if you say “calls may be recorded” at the start and the person stays on the line. But staying on the line doesn’t automatically mean you’ve captured valid GDPR consent.

Many businesses record calls using another lawful basis (often legitimate interests, or in some cases contract), alongside clear transparency: telling people the call is recorded, why, how long recordings are kept, and who they may be shared with. Call recording can also touch on wider legal issues beyond data protection, so it’s worth being careful with how you implement it (including your scripts, privacy notices, and retention periods). If this is relevant to your business, have a read of recording conversations rules and risk points.

4. Workplace Monitoring

If you monitor staff (for example, device activity, internet usage, software logs, or security monitoring), “implicit consent” is particularly risky. In employment relationships, consent is often not seen as freely given because of the power imbalance.

That doesn’t mean you can’t monitor at all. It means you usually need to rely on a different lawful basis and be very transparent, proportionate, and careful with policies and notices.

This is a common compliance area for growing businesses, especially when you introduce new tools or security controls. If you’re exploring this, monitoring computers is a good place to sanity-check your approach.

If Not Implicit Consent, What Should Your Business Use Instead?

This is where many small businesses feel stuck. If implicit consent isn’t reliable, what are your options?

Under UK GDPR, you must have a lawful basis to process personal data. Consent is just one basis. Depending on what you’re doing, you may be better placed using:

• Contract: you need the data to provide goods/services someone requested (for example, delivery address details)
• Legal obligation: you must process data to comply with the law (for example, payroll, tax records)
• Legitimate interests: you have a genuine business reason to process data, balanced against the individual’s rights
• Vital interests: life-or-death scenarios (rare for most SMEs)
• Public task: typically public bodies or tasks in the public interest (not common for SMEs)

Why “Legitimate Interests” Often Beats Consent

For many everyday business activities (fraud prevention, internal admin, and some limited marketing contexts), legitimate interests may be more appropriate than consent.

But legitimate interests isn’t a free pass. You still need to:

• be transparent about what you’re doing
• only do what’s proportionate
• consider the impact on individuals
• offer opt-outs where required (especially in marketing contexts under PECR)

This is also where clear documentation matters. Your privacy information should reflect your actual lawful basis and your actual practices (not just generic wording).

And If You Use Suppliers, Make Sure The Contracting Is Right

If you use third parties to process personal data for you (for example, email marketing platforms, cloud CRMs, payroll providers), you’ll often need a proper Data Processing Agreement in place. This is one of the most overlooked steps for small businesses, and it’s exactly the kind of thing that causes headaches later during audits, disputes, or sales of the business.

A Practical Checklist: How To Use Consent Properly (Without Overcomplicating It)

When consent is genuinely the right approach, the goal is to make it easy for people to understand and easy for you to prove.

Step 1: Be Clear About What You’re Asking For

Use plain language. Avoid bundling multiple purposes into one vague statement.

Instead of:

• “By signing up you agree to receive communications from us.”

Use something closer to:

• “Yes, email me product updates and special offers (about once a week).”

Step 2: Make The Choice Active (No Pre-Ticked Boxes)

Consent should be opt-in. Pre-ticked boxes and “we’ll assume you agree unless you untick” setups are high-risk.

Step 3: Keep Records

If you can’t prove consent, you’ll struggle to rely on it.

At a minimum, record:

• who consented
• when they consented
• how they consented (what form, what wording)
• what they were told at the time
• what they consented to (which channel and purpose)

Step 4: Make Withdrawal Simple

Every marketing email should include an unsubscribe link. If it’s consent for something else (like recorded calls or optional features), give a clear method to withdraw and explain what happens next.

Step 5: Align Your Policies With Reality

Your Privacy Policy and internal processes should match what you actually do. If your staff use work devices, access customer data remotely, or handle personal data on the go, an Acceptable Use Policy can also be a simple way to set expectations and reduce risk.

Common Scenarios: What “Implicit Consent” Looks Like In Real Small Businesses

Let’s turn the theory into practical examples. Here’s how implicit consent issues often show up in growing UK businesses.

Scenario 1: A Customer Enquiry Form

What you want: capture enquiries and follow up.

Risky implicit consent approach: adding a line like “By submitting this form you agree to marketing.”

Safer approach:

• Use the form submission as the lawful basis to respond to the enquiry (often contract steps or legitimate interests).
• If you also want marketing consent, add a separate, unticked opt-in checkbox specifically for marketing.

Scenario 2: Online Checkout

What you want: process an order, send delivery updates, and keep the customer informed.

Good news: you usually don’t need consent for many of these steps, because you need the data to perform the contract.

Where consent might come in: optional marketing, optional profiling/personalisation, and non-essential cookies.

Scenario 3: A Team Using AI Tools With Customer Data

As soon as your team starts pasting customer information into AI tools, you can create serious privacy, confidentiality, and security risk.

This isn’t an “implicit consent” moment (your customer definitely hasn’t implicitly consented to their details being used that way). It’s about choosing the right lawful basis, being transparent, minimising data, and controlling what tools staff can use.

If AI tools are part of your operations, it’s worth checking your approach to AI tools and putting boundaries in place early.

Scenario 4: Recording Sales Or Support Calls

Many businesses record calls for training, quality assurance, or dispute resolution. That can be legitimate, but you need to set it up carefully.

Practical tips include:

• Tell people clearly at the start of the call (and consider alternatives where appropriate).
• Only record what you need, and don’t keep recordings longer than necessary.
• Make sure your privacy information covers it.

Also remember that the rules aren’t only “GDPR rules”. Call recording can raise other legal issues too, so it’s worth sense-checking your plan against recording conversations compliance.

Key Takeaways

• Implicit consent is not a separate lawful basis under UK GDPR, and relying on assumptions can create compliance risk.
• Consent must be freely given, specific, informed, unambiguous, and easy to withdraw, and you should be able to prove it.
• Silence, inactivity, pre-ticked boxes, and “they didn’t object” approaches generally do not create valid consent.
• In many SME scenarios, using another lawful basis (like contract or legitimate interests) may be more appropriate than consent.
• High-risk “implicit consent” areas include marketing, cookies/tracking, call recordings, and workplace monitoring.
• Strong documentation and setup (including a Privacy Policy, Cookie Policy, and the right supplier terms like a Data Processing Agreement) helps you stay compliant as you grow.

If you’d like help setting up the right GDPR approach for your business (including consent wording, privacy documents, and data protection compliance), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.