Running a Compliant Business

Do I Need Consent?

Consent is one lawful basis, not the only one. Learn when you actually need it and when you do not.

Intermediate 14 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What consent means under the Act
  • When consent is required and when it is not
  • How consent applies to marketing and cookies
  • What makes consent valid

Overview

"Do I need consent?" is one of the most common questions in data protection, and the answer surprises people: not always. Consent is just one of several lawful reasons you can process personal data. Sometimes it is the right one, and sometimes another basis fits better.

Why this matters

Relying on consent when you do not need it creates work and fragility, because consent can be withdrawn. Relying on it when you should have asked, for example for marketing, leaves you exposed. Getting this right keeps you both compliant and practical.

What the law says

The Act requires a lawful basis for processing personal data (this flows from the first standard, ). Consent is one basis. Others include processing that is necessary to perform a contract, to meet a legal obligation, or for certain legitimate purposes.

When you do rely on consent, it must be:

  • Freely given. No pressure, and not bundled into unrelated terms.
  • Specific. Tied to a clear purpose, not a vague catch-all.
  • Informed. The person knows what they are agreeing to.
  • A clear action. A positive opt-in, not a pre-ticked box or silence.
Tip. Before reaching for consent, ask whether another lawful basis fits. If you must keep records to deliver a service the customer asked for, "performing a contract" may be the better basis.
  • Marketing by email, SMS, or similar.
  • Cookies and similar tracking on your website, beyond what is strictly necessary.
  • Sensitive personal data, where consent is often part of the stronger justification required.
  • Keeping the records you need to deliver a service the person asked for.
  • Meeting a legal or regulatory obligation.
  • Core, expected administration of an existing relationship.
Watch out. If you rely on consent, you must also make it easy to withdraw. An unsubscribe link that does not work, or a buried opt-out, undermines the consent you collected.

Common mistakes

  • Treating consent as the answer to everything.
  • Using pre-ticked boxes or vague, bundled agreements.
  • Collecting consent but keeping no record of it.

Best practices

  • Decide and document your lawful basis for each processing activity.
  • Where you use consent, keep a record of what was agreed and when.
  • Make opting out as easy as opting in.

Put this into practice

Capture clear, specific consent where you need it, with a record you can rely on later.

Generate a consent form

Frequently asked questions

Not always. You may rely on another lawful basis, such as performing a contract or meeting a legal obligation.

Key takeaways

  • Consent is one of several lawful bases, not a requirement for everything.
  • When you do rely on consent, it must be freely given, specific, and informed.
  • Marketing and similar activities usually need clear consent.
  • Keep a record of what people agreed to and when.

Related

Ask the Privacy Assistant

Beta