Implicit Consent Under UK Law: What You Can and Can’t Rely On

byAlex Solo5 November 20259 min read

eCommerce Digital Marketing & Advertising Regulatory Compliance Data & Privacy

Contents

What Does “Implicit Consent” Mean Under UK GDPR?
Where Businesses Often Misapply Implicit Consent
When Should You Use Consent Versus Another Lawful Basis?
How To Make Consent Valid If You Need It
Practical Steps To Stay Compliant Without Over-Relying On Implicit Consent
Common Myths About Implicit Consent (And The Reality)
Documentation To Put In Place
Key Takeaways

If you’re collecting customer data, running email campaigns or using cookies on your website, you’ll quickly run into the question of consent. You might hear people talk about “implicit consent” – but under UK law, that phrase is often misunderstood.

In short: relying on implicit consent is risky. In many scenarios, it won’t meet the legal threshold. The good news is that with the right set-up, you can use compliant alternatives and still run effective marketing, analytics and operations.

In this guide, we’ll unpack what “implicit consent” means in practice, when consent is (and isn’t) required, and the safer lawful bases and processes most small businesses should use instead.

Under the UK GDPR and the Data Protection Act 2018, consent must be a freely given, specific, informed and unambiguous indication of a person’s wishes – given by a clear affirmative action.

That definition rules out a lot of practices that people informally call “implicit consent”, such as:

Silence or inactivity (e.g. not unticking a box or just continuing to browse)
Pre-ticked checkboxes or “by default you agree” statements
Bundled consent for multiple purposes with no real choice
Hiding the consent request in dense terms and conditions

In other words, “implicit consent” generally isn’t valid consent for data protection. If you’re going to rely on consent as your lawful basis, it needs to be active and unambiguous – think an opt-in box the user ticks themselves, or a clear “Accept” choice that isn’t nudged by dark patterns.

And remember, consent isn’t always the right choice as a legal basis. In many day-to-day business activities, “legitimate interests”, “contract” or “legal obligation” can be more appropriate (and more practical to manage). We’ll come back to that below.

Let’s look at common business scenarios where “implicit consent” crops up – and what the law actually expects you to do.

1) Email And SMS Marketing

Marketing messages are regulated by the Privacy and Electronic Communications Regulations (PECR) alongside UK GDPR. For most direct marketing by email or SMS to individuals, you need prior consent – and the UK GDPR standard applies (freely given, informed, unambiguous, opt-in).

There’s a narrow exception known as the “soft opt-in.” If you obtained a customer’s details during a sale (or negotiations for a sale), you’re marketing your own similar products or services, and you give them an easy opt-out at the time of collection and in every message, you can market without fresh consent. Used properly, the soft opt-in can reduce friction for returning customers while staying compliant with email marketing laws. If you plan to rely on it, make sure your forms and footer links clearly offer the opt-out, and that the products are genuinely “similar.” For a deeper dive, see the rules around the soft opt-in.

2) Cookies, Analytics And Tracking

For most non-essential cookies (analytics, advertising, social media), PECR requires prior consent before you drop the cookie – and browsing on alone isn’t valid consent. You need a compliant banner that lets users make a real choice, ideally with a clear “Reject All” as well as “Accept.” A simple “by continuing to use this site, you consent…” statement won’t cut it.

Pair your banner with a transparent Cookie Policy and make sure your scripts respect the user’s choices (no firing before opt-in). It’s also smart to reflect your tracking and lawful bases in your Privacy Policy so users can understand what you collect and why.

3) Call Recording, CCTV And Workplace Monitoring

It’s common to see businesses assume that “we put up a sign” equals consent. For most monitoring, consent isn’t the best basis anyway – particularly where there’s an imbalance of power (e.g. staff). Instead, look at legitimate interests, carry out a documented assessment of necessity, and ensure you’re transparent and proportionate.

CCTV and audio: Be cautious with audio capture; it’s far more intrusive than video. Clear signage and a strong necessity case are essential. Get across the pitfalls in CCTV With Audio.
Recording conversations: If you record calls for training or compliance, you’ll need a lawful basis, upfront notice, and proper retention and security controls. Start with the overview in recording conversations.

When you send personal data to a cloud provider, CRM, marketing platform or logistics partner, you don’t need consent if the sharing is necessary for your service and you have the right contracts in place. Use a Data Processing Agreement with processors, and a Data Sharing Agreement where two independent controllers exchange data. The key is transparency and lawfulness – not assuming you have “implicit consent” to pass data around.

Consent is just one of six lawful bases in the UK GDPR. It’s powerful when you truly offer a genuine choice, but it’s not a catch-all. If you can’t give people a free option to say no without detriment, consent probably isn’t appropriate.

Here’s a practical way to decide:

Contract: You need the data to provide your product or service. Example: collecting a delivery address to ship an order.
Legal obligation: You must process data to meet a legal duty. Example: keeping certain tax records.
Legitimate interests: You have a reasonable business interest that isn’t overridden by the individual’s rights. Example: basic site analytics with strong privacy safeguards; limited fraud prevention; certain B2B outreach where PECR permits.
Consent: You genuinely need the person’s opt-in and are happy to respect a “no.” Example: most direct marketing to individuals (unless you qualify for the soft opt-in), non-essential cookies, optional newsletter sign-ups, sharing data with a third party for their own marketing.

Pick one primary basis per purpose, document it and explain it in your privacy notice. If you choose consent, make it granular and easy to withdraw.

If you do rely on consent, follow these best practices to keep it valid and auditable:

Make it opt-in: No pre-ticked boxes. Use plain, specific language and separate toggles for different purposes.
Keep it unbundled: Don’t bundle consent with terms or make it a condition unless strictly necessary for the service.
Be clear and prominent: Put the request where the decision is made, in simple English, with links to more detail.
Offer real choice: Provide equal “Reject” and “Accept” options for cookies; don’t use dark patterns or confusing designs.
Record consent: Log who consented, when, how, and what they were told at the time.
Make withdrawal easy: Add unsubscribe links to marketing and simple ways to change cookie settings or account preferences.

For websites, that normally means a consent management platform with a “reject all” option and clear categories, combined with a robust Cookie Policy and an up-to-date Privacy Policy that aligns with what your scripts actually do.

Let’s turn this into an actionable plan you can execute this week.

1) Map Your Data And Purposes

List each type of personal data you collect (e.g. names, emails, analytics IDs, recordings), where it comes from, where it goes, and what you use it for. For each purpose, choose the most appropriate lawful basis. If your only reason is “we assumed implicit consent,” pause and reassess.

Implement a cookie banner that blocks non-essential cookies until opt-in and offers a “Reject All.”
Publish or update your Cookie Policy and ensure it lists each cookie category, vendor and purpose in plain English.
Align your tracking disclosures and lawful bases in your Privacy Policy.

3) Tidy Up Your Marketing Lists

Separate subscribers gathered by opt-in from customers covered by the soft opt-in, and keep records of how each contact was captured.
Add clear unsubscribe links to every marketing email and a simple SMS stop command.
For B2B outreach, check both PECR and UK GDPR. Some B2B emails may be allowed under PECR, but you still need a lawful basis and to respect opt-outs.

If a supplier handles personal data for you, you’re required to have a compliant Data Processing Agreement. Where two parties decide purposes independently, use a Data Sharing Agreement that clarifies responsibilities, security and individual rights.

5) Be Transparent About Monitoring

If you record calls, use CCTV or carry out employee monitoring, avoid framing it as “consent.” Instead:

Identify a suitable lawful basis (often legitimate interests), document your necessity and balancing test, and consider less intrusive options.
Provide clear notices and signage; restrict capture to what’s necessary (e.g. avoid audio unless essential).
Review retention periods and access controls regularly.

The risks and good practices around audio capture are covered in detail in CCTV With Audio.

6) Set Up A Rights-Handling Process

Individuals can withdraw consent at any time, and may also make access or deletion requests. Build a process to identify requests, verify the requester, respond on time and keep an audit trail. Your Privacy Policy should explain how people can contact you and what you’ll do next.

Let’s tackle a few misconceptions we hear from small businesses.

Myth: “If someone gives us a business card, that’s consent to add them to our email list.” Reality: It’s not. You might rely on legitimate interests to follow up once in a B2B context, but ongoing marketing usually needs consent or the soft opt-in conditions met.
Myth: “If our privacy notice says we use cookies, that implies consent.” Reality: Disclosure isn’t consent. For non-essential cookies, PECR requires prior opt-in.
Myth: “Employees consent to monitoring by signing the handbook.” Reality: Consent in employment is rarely valid due to the imbalance of power. Use legitimate interests where appropriate and ensure transparency and proportionality.
Myth: “If the user doesn’t click ‘no’, that means yes.” Reality: Silence is not consent under UK GDPR.
Myth: “We can share data with our partners because users didn’t opt out.” Reality: Sharing for a partner’s own purposes generally requires consent or another strong legal basis explained up front.

Documentation To Put In Place

Getting your documentation right helps you demonstrate compliance and avoid relying on “implicit” anything.

Privacy Notice: A layered, plain-English Privacy Policy that sets out your purposes, lawful bases, retention and rights.
Cookie Tools And Policies: A compliant banner, preference centre, and a specific Cookie Policy.
Data Processing Agreement: For every vendor that processes personal data on your behalf, use a Data Processing Agreement.
Data Sharing Agreement: Where you and another party exchange data as independent controllers, agree roles and safeguards in a Data Sharing Agreement.
Marketing Records: Keep evidence of opt-ins and soft opt-in eligibility (e.g. how and when details were collected, what was said on the form).
Monitoring Notices: Clear signage and staff communications for CCTV, audio and call recording, aligned with your assessments and retention schedules. For the nuances around recordings, refer to recording conversations.

Key Takeaways

“Implicit consent” (silence, inactivity, pre-ticked boxes) doesn’t meet the UK GDPR standard. If you rely on consent, make it explicit, informed and opt-in.
You don’t always need consent. For many activities, “contract,” “legal obligation” or “legitimate interests” are more appropriate – but you must choose the right basis and explain it.
PECR sets stricter rules for direct marketing and cookies. Use valid opt-in for most emails and SMS or ensure you qualify for the soft opt-in, and get prior consent for non-essential cookies via a compliant banner.
Don’t assume signage equals consent for CCTV, audio or call recording. Build a legitimate interests case, be transparent and keep things proportionate.
Put your paperwork in order: a clear Privacy Policy, Cookie Policy, and strong contracts such as a Data Processing Agreement and Data Sharing Agreement.
Record how you captured consent or relied on soft opt-in, and make withdrawal and opt-out simple in every channel.

If you’d like tailored help setting up compliant consent flows, marketing permissions and data-sharing contracts for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call