Running a Compliant Business
Do I Need Consent?
Consent is one lawful basis, not the only one. Learn when you actually need it and when you do not.
What you will learn
- What consent means under the Act
- When consent is required and when it is not
- How consent applies to marketing and cookies
- What makes consent valid
Overview
"Do I need consent?" is one of the most common questions in data protection, and the answer surprises people: not always. Consent is just one of several lawful reasons you can process personal data. Sometimes it is the right one, and sometimes another basis fits better.
Why this matters
Relying on consent when you do not need it creates work and fragility, because consent can be withdrawn. Relying on it when you should have asked, for example for marketing, leaves you exposed. Getting this right keeps you both compliant and practical.
What the law says
The Act requires a lawful basis for processing personal data (this flows from the first standard, ). Consent is one basis. Others include processing that is necessary to perform a contract, to meet a legal obligation, or for certain legitimate purposes.
When you do rely on consent, it must be:
- Freely given. No pressure, and not bundled into unrelated terms.
- Specific. Tied to a clear purpose, not a vague catch-all.
- Informed. The person knows what they are agreeing to.
- A clear action. A positive opt-in, not a pre-ticked box or silence.
When consent is usually needed
- Marketing by email, SMS, or similar.
- Cookies and similar tracking on your website, beyond what is strictly necessary.
- Sensitive personal data, where consent is often part of the stronger justification required.
When consent is usually not needed
- Keeping the records you need to deliver a service the person asked for.
- Meeting a legal or regulatory obligation.
- Core, expected administration of an existing relationship.
Common mistakes
- Treating consent as the answer to everything.
- Using pre-ticked boxes or vague, bundled agreements.
- Collecting consent but keeping no record of it.
Best practices
- Decide and document your lawful basis for each processing activity.
- Where you use consent, keep a record of what was agreed and when.
- Make opting out as easy as opting in.
Put this into practice
Capture clear, specific consent where you need it, with a record you can rely on later.
Generate a consent formFrequently asked questions
Key takeaways
- Consent is one of several lawful bases, not a requirement for everything.
- When you do rely on consent, it must be freely given, specific, and informed.
- Marketing and similar activities usually need clear consent.
- Keep a record of what people agreed to and when.
