Tolulope Ogundele

What is Explicit Consent under GDPR?

What is Explicit Consent under GDPR?

Share this content

Explicit consent is an individual's clear, specific, and unambiguous statement of agreement regarding the processing of their personal data. Unlike general consent, which can sometimes be inferred from actions or implied, explicit consent requires a direct, deliberate, and conscious action from the data subject.

Within the GDPR, explicit consent represents a higher standard of consent required in specific situations. It is mostly required when processing special categories of data or in cases where data processing is likely to significantly impact the individual. If you want to learn about how to collect consent, instead of explicit consent, see our blog: How to gather consent correctly under the GDPR?.

The main distinction between general and explicit consent is that explicit consent requires clear and affirmative action to be valid. While general consent might be implied or less formally expressed, explicit consent demands a clear, affirmative statement from the individual. Explicit consent ensures that the individual fully understands and agrees to the specific processing activities that will take place.

Explicit consent can be seen in various practical scenarios. For instance:

  • Signing a Consent Form: An individual signs a form that clearly outlines the specific use of their personal data.
  • Checking an Opt-In Box: A user checks a box that is not pre-selected, indicating their agreement to receive marketing emails. Pre-checked boxes often convey a heavily promoted choice and can discourage users from making an active decision. Additionally, vague or unclear wording in consent requests can create confusion about the impact of checking or unchecking a box, further undermining the validity of the consent.
  • Verbal Agreement: In some cases, a verbal statement, such as saying, "I consent to the processing of my health data," may also constitute explicit consent.  In these cases, as with other forms of consent, it is important to ensure that the consent is adequately documented.

Key Components of a GDPR-Compliant Explicit Consent

Explicit consent must have four key components: it must be freely given, specific, informed, and unambiguous.

  1. Freely Given: Consent must be provided voluntarily, without any form of pressure or coercion. The data subject should have a genuine choice and must be able to refuse or withdraw their consent at any time without facing any negative consequences. For example, if a company requires customers to opt-in to receive marketing emails, they should not make subscribing to them a condition for accessing their services. Customers should be able to use the service even if they choose not to receive marketing communications.
  2. Specific: Consent must be obtained for distinct purposes. Requesting blanket consent, such as agreeing to all potential data processing activities in one broad statement or agreeing to a Privacy Policy is insufficient. In other words, simply agreeing to the phrase "I consent to marketing activities" does not meet the requirement for specificity under the GDPR. Instead, each purpose for data processing should be outlined, with the individual having the choice to consent to each outlined purpose. If you’re looking for a formula to create consent statements see our GDPR Consent Formula.
  3. Informed: The data subject must be fully aware of the data processing activities involved to give valid consent. This includes knowing who is collecting the data (the identity of the controller), the purposes of the data processing, the types of data being processed, and their rights.
  4. Unambiguous: Consent must be expressed clearly and affirmatively by the data subject. There must be no room for doubt about their agreement. Actions such as ticking a checkbox, signing a document, or any other clear indication of consent can help to achieve unambiguity.

Situations Requiring Explicit Consent

Under the GDPR, explicit consent is mandatory in specific situations due to the sensitive nature of the data or its potential impact on the individual. These situations include:

  • processing special categories of personal data;
  • automated decision-making and profiling; and 
  • transferring personal data to third countries without adequate data protection

Processing of Special Categories of Personal Data

Special Categories of data relate to types of data that could be used to segregate, discriminate or harm someone.  In fact, the GDPR defined them in Article 9.They include:

  • data revealing racial or ethnic origin
  • political opinions
    religious or philosophical beliefs
  • trade union membership
  • health data
  • biometric data, and
  • information related to a person's sexual orientation or habits.

Given the potential impact on the fundamental rights and freedoms of individuals, processing these types of data generally requires explicit consent and justifying other other legal bases is difficult.

Automated Decision-Making and Profiling

The GDPR gives individuals the right not to be subjected to decisions made solely by automated systems like computer algorithms if those decisions have serious legal effects – unless the person has given explicit consent. For example, in situations such as getting a job or a loan, individuals have a right to ask that such decisions be made only with human oversight. Although another lawful basis, such as fulfilling a contract, might allow for automated decision-making, explicit consent remains mandatory in most cases. According to Article 22 of the GDPR, individuals should not be subjected to decisions based solely on automated processing, including profiling, that produces legal effects or significantly affects them unless explicit consent has been obtained. This requirement ensures that individuals have control over decisions that could significantly impact them, such as those affecting employment, creditworthiness, or access to services. Other legal basis, like fulfilling a contract, may also apply, but explicit consent remains a key requirement in many cases.

Transfers of Personal Data to Third Countries Without Adequate Data Protection

When transferring personal data to countries outside the European Union that do not have adequate data protection measures, such as an adequacy decision or other appropriate safeguards, Article 49 of the GDPR allows for explicit consent as a valid lawful basis for such transfers. In these instances, the data subject must be fully informed of the potential risks to their rights and freedoms due to the transfer.

Additionally, the ePrivacy Directive requires explicit consent to be obtained before non-essential cookies, such as those used for tracking and advertising, are used. Explicit consent cannot be obtained by browsing the website indefinitely without taking any action.

How to Obtain and Document Explicit Consent

When seeking to obtain explicit consent under the GDPR, it is essential to ensure that the process is clear, transparent, and easily understandable. Key steps to obtaining valid explicit consent include:

  1. Use Clear and Plain Language

Consent requests must be written in clear, simple language that is easy for anyone to understand. Vague or complex terminologies must be avoided. One useful tool to assess the readability of consent language is the Flesch Reading Ease score, which measures how easily a text can be read based on word and sentence structure.

  1. Consent Requests must be Specific

Consent requests should be presented separately from terms and conditions, general agreements, or other legal terms. The consent request should be easily distinguishable from other requests or information.

  1. Use Opt-In Mechanisms

Explicit consent must be obtained through affirmative action, such as an opt-in mechanism. It could involve checking an unchecked box or signing a consent form. The opt-in process should clearly indicate that the individual agrees to the specific data processing activities described by giving consent.

  1. Ensure Granularity in Consent

If multiple purposes require consent, each purpose should be clearly outlined, and consent should be obtained separately for each purpose. That is, if you seek consent to send marketing communications and to share personal data with third parties for marketing purposes, these two activities should be separate requests. Granularity ensures that individuals have control over every aspect of their consent and are not forced into an all-or-nothing decision.

  1. Keeping Detailed Records

Obtaining explicit consent alone is not enough; consent must also be documented to comply with the GDPR. Maintaining detailed records of consent is essential and should include:

  • Who provided the consent (identifying the individual)?
  • When the consent was obtained (date and time)?
  • How the consent was given (e.g., via a signed form, checked box, etc.)?
  • What the consent covers (specific data processing activities)?

These records must be easily accessible and retained for the duration of the consent. Additionally, it's important to document whether consent has been withdrawn and, if not, when the consent will expire.

  1. Using Consent Management Tools

Consent management tools can be instrumental in tracking and managing consent. These tools allow for the efficient organisation of consent records. They can track consent expiration and automate renewal requests. They also facilitate ease in fulfilling data subject requests by providing easy consent withdrawal mechanisms.

In addition, a privacy dashboard could also be implemented to enable data subjects to view and manage the consent they have provided.

Managing and Withdrawing Explicit Consent

Individuals must be able to revoke their consent as easily as they gave it. If consent was initially provided by checking a box, withdrawing should be as simple as unchecking a similar box. Data subjects must be able to opt out on their initiative without encountering additional hurdles.

Data subjects must be informed about how to withdraw their consent. This information should be included in privacy statements and reiterated in consent requests.

Consent should be examined and renewed on a regular basis to ensure its validity and relevance. If data subjects are not contacted on a regular basis, they should be occasionally reminded of their right to withdraw consent and how to do so.

Ensuring Compliance and Managing Risks with Explicit Consent

Compliance with explicit consent requirements under the GDPR requires proactive strategies and continuous oversight.

Conducting periodic audits and reviews of consent processes ensures that consent collection practices align with current legal requirements. Incorporating consent process reviews into the organisation's compliance calendar, with dedicated time blocks, can help systematically address any gaps or areas for improvement.

Also, regular training sessions should be conducted to educate employees on the correct procedures for obtaining and handling explicit consent. New employees should receive specific guidelines or procedural documents to complement general data protection training during onboarding. These documents should be regularly reviewed and updated to reflect any regulations or internal process changes.

Frequently Asked Questions about Explicit Consent

What are the penalties for not obtaining explicit consent?

Failure to obtain explicit consent under the GDPR can result in severe consequences. The consequences include substantial fines, potentially reaching up to €20 million or 4% of the company's global annual turnover, whichever is higher. Beyond financial penalties, mishandling personal data or relying on invalid consent can significantly harm an organisation's reputation. A loss of customer trust can lead to decreased engagement, as individuals may hesitate to share their data if they believe it is not being managed responsibly or transparently.

Can explicit consent be inferred from actions?

No, explicit consent cannot be inferred from someone's actions, no matter how obvious their consent may seem. Explicit consent must clearly and expressly confirm through a direct statement or action. 

How often should explicit consent be reviewed and updated?

There is no fixed time limit for how long explicit consent remains valid; it depends on the context and nature of the data processing. However, consent should be regularly reviewed and updated to remain current and appropriate. Key moments for reviewing consent include significant changes in data processing activities, updates to privacy policies, or changes in relevant regulations. In practice, consider conducting reviews annually or whenever there are substantial changes to the data processing activities or legal requirements.

What is the difference between explicit consent and implicit consent?

Explicit consent requires an individual to take a clear, affirmative action, such as ticking a checkbox or signing a form, explicitly indicating their agreement to specific data processing activities. In contrast, Implicit Consent is inferred from an individual's actions, like using a service or signing up for a newsletter, without an explicit statement of agreement.

Best Practices for Implementing Explicit Consent

  • Clearly communicate the purpose of data collection and how it will be used. Avoid complex legal jargon.
  • Use unambiguous methods like checkboxes or digital signatures. Avoid pre-checked boxes or implied consent.
  • Allow individuals to withdraw consent at any time through a straightforward process.
  • Keep comprehensive documentation of all consent obtained, including the date, time, and consent method.
  • Periodically assess consent practices to ensure ongoing compliance with legal requirements and identify improvement areas.
  • Avoid dark patterns. Refrain from using deceptive or manipulative design elements to influence consent decisions.
  • Consider using specialised software, such as Privasee, to streamline the consent process and ensure compliance.

The Essential Role of Explicit Consent in GDPR Compliance

In conclusion, explicit consent is fundamental to ensuring compliance with the GDPR. It ensures that individuals have clear control over how their data is used. Consent practices must be reviewed and updated regularly to align with evolving regulations and enhance transparency.

To effectively implement explicit consent, it is crucial to incorporate it into organisational practices from the outset. By designing products and services with privacy as the default, organisations can proactively ensure data subjects have control over the use of their personal data.

Ultimately, explicit consent is more than a legal requirement; it reflects an organisation's respect for data subjects and their right to control their personal data.

Further Reading and Resources on Explicit Consent

EDPB Guidelines 05/2020 on Consent

ICO Guidance on Consent

August 26, 2024

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help