GDPR - consent must not be hidden in your terms

In a previous legal update (GDPR-you need to undertake an information audit), we discussed your data audit. If as part of that audit you have decided you want to rely on consent as your legal basis for processing personal data, are you sure you meet the high standards the GDPR sets out?

If you have collected names and email addresses over the years by putting a box on your sales invoice which requires a customer to tick if they do not want to be on your emailing list, you will almost certainly find this to be a breach of the GDPR. Why? Because the criteria for consent has changed.

Your box has to require people to opt in and not opt out. The difference is subtle but the Information Commissioners Office (ICO) will want to see that people were abundantly aware that you have told them you will be using their information and that you have given them a clear and genuine choice.  

The consent must not be hidden within your terms and conditions. It should be separate and clear.

You cannot have a tick already in a box on an online field which requires a person to untick to remove consent. There must be what the ICO calls a positive opt-in.

You cannot demand or assume consent. For example, you cannot say that the person consented to you sending them details of a special offer simply because they bought a car from you and they gave you their details for the invoice. Keeping the personal data on the invoice is fine as it is required for the contract and for you to fulfil your legal obligation to keep proper tax records etc but, this does not mean you can decide to use that same data for marketing purposes. No clear consent to receiving marketing = no marketing.

The ICO say consent has to be specific and granular. This means, for example, you cannot rely on consent for marketing, just because the customer has consented to you sending their details to a finance house to get car finance. You have to make clear to the customer, exactly what you will do with their data. There is no one size fits all consent.

If you are sending details to a finance house, you need to name the finance house. A customer must be aware of to whom you are sending their information.

If asked, you will need to be able to prove to the ICO that you have consent and so you need to ensure your record keeping is in good order. You will need records of who consented, what exactly you told them they were consenting to, the date of consent and how the customer consented.

In addition to all the above, you must tell your customer that they can withdraw consent at any time and tell them how to do this.

In summary, if you are relying on consent which will most usually be for marketing purposes, make sure your records are sufficient to prove to the ICO that your customer clearly understood to what they were consenting. That way, you should avoid a fine.

Lawgistics members can get support with GDPR compliance by speaking with a legal advisor.


Authors: Nona Bowkis

Published: 23 Jan 2018


To ensure you are a real person signing up and to prevent automated signups (spamming) could we ask you to copy the letters and numbers shown below into the box.

(cAse SeNSItivE!)

There are no comments

Share this Article