Skip to content
LegalVision UK

Implied Consent Risks Under GDPR: What Your Business Needs to Know 

Avatar photo

By Sej Lamba
Expert Legal Contributor and Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

In Short

  • Under the UK GDPR, consent must be freely given, specific, informed, and actively provided through deliberate action. Implied or assumed consent is not sufficient.
  • Consent is one of six lawful bases for processing personal data. Always evaluate whether it is the most appropriate basis for your processing activities.
  • Make it as easy to withdraw consent as it is to give it. Ensure withdrawal methods are simple and accessible.

Tips for Businesses

Use clear, plain language in consent requests and avoid legal jargon. Keep records of when, how, and for what purposes consent was given to demonstrate compliance. Consider other lawful bases, like legitimate interests, if consent is not suitable. Regularly review and update consents to ensure they remain valid, particularly when processing purposes change.

Processing personal information is subject to strict rules. In particular, data controllers must carefully consider their legal basis for processing personal data. Under the UK General Data Protection Regulation (GDPR), consent is a lawful ground for processing the personal data of data subjects. Under the GDPR, express or implied consent must be freely given, specific, informed, and unambiguous. It must also be able to be withdrawn at any time.

Many businesses mistakenly believe they can simply infer or imply consent from someone’s behaviour. However, businesses cannot assume consent from an individual, e.g., through silence, inactivity, or pre-ticked boxes. Misunderstanding the consent requirements can lead to non-compliance, fines, and reputational damage. This article explores the rules around consent under the UK GDPR, the problems of implied consent, and how your business can manage consent correctly, considering the guidance of the UK ICO. 

How Can Your Business Process Personal Data Lawfully?

The UK GDPR requires your business to identify a lawful basis for every processing activity. Consent is one of six lawful bases, but it is not always the most appropriate. 

Your business should carefully assess whether an alternative basis (such as legitimate interests or contractual necessity) is more suitable for the relevant processing activities; given consent can be a problematic lawful basis to rely upon. Individuals must have genuine choice and control over whether their data is processed for consent to be valid. 

For consent to be valid under UK GDPR, individuals must actively indicate their agreement, such as by signing a form or clicking a confirmation button. Simply remaining silent or failing to opt out will not qualify as valid consent. Your business must ensure consent involves a clear and deliberate action, leaving no room for ambiguity. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Consent must also be specific and informed, individuals must understand precisely what they agree to and for what purposes their data will be used. Providing vague consent options undermines transparency and invalidates consent.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Your business simply inferring consent does not meet the UK GDPR’s strict requirements. Your company should ensure that consent is specific, informed, and verifiable. Keeping records of how, when, and what individuals consented to allows your business to demonstrate compliance.

Implied consent creates uncertainty, contradicting the UK GDPR’s emphasis on explicit and informed choices. Similarly, pre-filled forms or default settings that assume consent do not meet the UK GDPR’s high standards, as they fail to involve individuals’ active participation in consent. Without clear evidence that individuals knowingly consented to data processing, your business risks fines, reputational damage, and legal challenges.

Managing consent can be challenging because individuals can withdraw it at any time. Your business must make it as easy to withdraw consent as it is to give it. Withdrawal processes must be simple and effective, and your company must not penalise individuals for withdrawing consent. Consent must also be specific and granular. Your business should provide individuals with options to choose which purposes or types of processing they agree to. In practice, it can be challenging to manage consent. 

Your business can adopt proactive measures to ensure compliance. Managing consent effectively involves several key steps; for instance, you should consider the following:

  • evaluating whether consent is the correct lawful basis for your processing activities from the outset. Consider alternatives such as legitimate interests or contractual necessity if consent is unsuitable. Using consent unnecessarily can confuse individuals and create compliance risks;
  • when requesting consent, make sure your requests are clear, specific, and separate from other terms or agreements. Use plain language and avoid legal jargon. You should ensure that individuals actively opt-in by ticking a box or signing a form. Avoid pre-ticked boxes or vague statements that may confuse individuals;
  • review and refresh consents if your purposes or activities change; 
  • keep accurate records documenting who consented, when and how they gave consent, and what they were told at the time. These records are critical if your business faces a legal challenge; and
  • make it straightforward for individuals to withdraw consent. Ensure withdrawal methods are easily accessible and do not create barriers or penalties for those who withdraw consent.

Key Takeaways

Implied consent does not always meet the high standards of the UK GDPR. Your business must ensure consent is freely given, specific, informed, and actively provided through deliberate action. Do not rely on implied or assumed consent, as this could mean you breach the UK GDPR rules and face various negative implications due to your unlawful processing.

If you need help understanding consent and the legal requirements for obtaining it lawfully, our experienced data privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Can my business rely on implied consent?

No, the UK GDPR’s standards for consent are strict, and you must not simply infer that an individual has consented. Your business needs to ensure that valid consent has been granted, which involves explicit affirmative action, such as ticking a box or signing a form.

Do I always need consent?

No, this is a common misconception. Consent is just one lawful basis on which to process personal data lawfully under the UK GDPR. Various other lawful bases, like fulfilling a contract or pursuing legitimate interests, may be suitable depending on the relevant processing. Before asking for consent, consider whether it is the right option for your business needs. You can seek legal advice from a data protection solicitor if you need guidance.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

What is Consent Under the UK GDPR Rules?

What is a Consent Form?

Can My UK Business Share Personal Information Without the Consent of That Individual?

Which UK GDPR Policies Does My Business Need?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards