Nothing on this site constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.
The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.
We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.
Under the EU General Data Protection Regulation (GDPR), knowing how and when you need to seek consent can be tricky. Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and you’d be advised to seek it only if none of the other grounds apply.
The other lawful grounds are:
A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
However, there will be times when consent is the most appropriate lawful basis, so you need to be aware of your obligations.
Opt in vs opt out
The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.
Examples of lawful consent requests include:
Signing a consent statement on a paper form;
Clicking an opt-in button or link online;
Selecting from equally prominent yes/no options;
Choosing technical settings or preference dashboard settings;
Responding to an email requesting consent;
Answering yes to a clear oral consent request;
Volunteering optional information for a specific purpose (such as optional fields in a form); and
Dropping a business card into a box.
This list isn’t exhaustive, but the point is that consent requests need the individual to provide a clear positive action. Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.
If you are in any doubt as to whether you need to seek consent from your customers allowing you to use their data for direct marketing promotional purposes (including sending lock screen messages) we recommend you seek specialist legal advice.