What Is GDPR Consent?
Under UK GDPR, consent is one of six lawful bases for processing personal data — but it has specific requirements that many SMEs get wrong, particularly in marketing contexts.
Key Takeaways
- GDPR consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes do not qualify.
- Consent can be withdrawn at any time and must be as easy to withdraw as to give.
- For direct email marketing to individuals, PECR applies alongside UK GDPR and requires prior opt-in consent.
- Consent is often not the best lawful basis for SMEs — legitimate interests may be more appropriate for some activities.
What valid GDPR consent looks like
Under UK GDPR, consent is defined as 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.' This means: the individual must actively opt in (silence, pre-ticked boxes, and inactivity do not constitute consent); the consent must be specific to the purpose for which data will be used (bundled consent covering multiple uses is not valid); the individual must be clearly told what they are consenting to before they consent; and withdrawal of consent must be as easy as giving it. Your consent records must include: who consented, when, what they were told, and how they consented.
Consent for email marketing
Email marketing to individuals (not businesses as such) is primarily governed by the Privacy and Electronic Communications Regulations 2003 (PECR) as well as UK GDPR. PECR requires prior explicit consent before sending marketing emails to individual subscribers (including personal email addresses and sole traders). The key rules are: you must have a clear opt-in from the individual before sending marketing; the opt-in must be specific to email marketing from your organisation; and every marketing email must include an unsubscribe mechanism that works immediately. The 'soft opt-in' exception allows you to market to existing customers who bought a similar product or service from you and were given the opportunity to opt out at the time — this is frequently misapplied and should be reviewed carefully.
When consent is not the right basis
Many SMEs default to consent as their lawful basis for data processing because it feels the most obvious. However, consent requires ongoing management (records, withdrawal mechanisms, re-consent if purposes change) and can complicate operations if individuals withdraw it. For many business activities, other lawful bases are more appropriate and more stable. Legitimate interests allows processing that is necessary for your genuine business interests, provided those interests are not overridden by the individual's rights — it is suitable for many B2B marketing activities and internal business analytics. Contract covers processing necessary to fulfil a contract with the individual. Legal obligation covers payroll, tax, and regulatory requirements. Using the right basis from the outset makes compliance simpler and more sustainable.
Managing and documenting consent
If you rely on consent as your lawful basis for any processing, you must be able to demonstrate that valid consent was obtained — this is the principle of accountability under UK GDPR. In practice this means keeping records of: the consent form or mechanism used, the text shown to the individual at the point of consent, the date and time of consent, and how the individual can withdraw consent. Most email marketing platforms (Mailchimp, Klaviyo, etc.) maintain these records automatically. For web forms, ensure your platform logs consent data with timestamps. If you cannot demonstrate that you obtained valid consent, you cannot rely on consent as your lawful basis — and processing without a valid lawful basis is a breach of UK GDPR that can be referred to the ICO.