Consent is one of the most important concepts in the General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs). Both laws require organizations to obtain consent from individuals before processing their personal data, unless there is another lawful basis for processing.

However, consent is not always easy to obtain. To be valid, consent must be freely given, specific, informed, and unambiguous. This means that individuals must be given a real choice about whether or not to consent, and they must be clearly informed about how their personal data will be used.

Here are some tips on how to obtain valid consent under the GDPR or APPs:

  1. Make it easy for individuals to understand what they are consenting to. This means using clear and concise language, and avoiding jargon and technical terms. You should also explain the purpose of the processing and how the individual’s personal data will be used.
  2. Give individuals a real choice about whether or not to consent. This means that they should not be forced or coerced into consenting. You should also make it clear that they have the right to withdraw their consent at any time.
  3. Obtain separate consent for different purposes. This is because individuals may be willing to consent to some types of processing, but not others. For example, an individual may be willing to consent to their personal data being used for marketing purposes, but not for credit scoring purposes.
  4. Use a consent management platform (CMP). A CMP can help you to manage consent in a compliant way. CMPs can help you to obtain consent for different purposes, and they can also help you to track and manage consent withdrawals.
How to Obtain Valid Consent Under the GDPR or APPs
How to Obtain Valid Consent Under the GDPR or APPs

Here are some additional tips for obtaining valid consent:

  • Use a layered approach to consent. This means providing individuals with different ways to consent, such as through a checkbox on a website form, or through a pop-up banner. This gives individuals more control over their consent choices.
  • Use opt-in consent. This means that individuals must actively opt in to consent, rather than having their consent assumed.
  • Use just-in-time consent. This means only asking individuals for consent when it is needed. For example, you might only ask for consent to use cookies when a user first visits your website.
  • Provide individuals with information about their consent rights. This includes their right to withdraw their consent at any time.

Failure to obtain valid consent can result in significant fines and reputational damage. Therefore, it is important to take the time to implement a robust consent management process.

Here are some examples of what constitutes valid consent:

  • An individual ticks a checkbox on a website form to agree to their personal data being used for marketing purposes.
  • An individual signs a consent form before participating in a clinical trial.
  • An individual gives their oral consent to a doctor to access their medical records.

Here are some examples of what does not constitute valid consent:

  • An individual is pre-checked into a mailing list without their knowledge or consent.
  • An individual is forced to consent to processing in order to access a service.
  • An individual’s consent is assumed because they do not opt out of processing.

In the end…

Obtaining valid consent is an essential part of compliance with the GDPR and the APPs. By following the tips in this blog article, you can help to ensure that your organization is obtaining valid consent from individuals.