How should you write a consent request and what information it should contain?

How should you write a consent request?

Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

Article 7(2) says:

“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”

You should:

• keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
• use clear, straightforward language;
• adopt a simple style that your intended audience will find easy to understand – this is particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
• avoid technical or legal jargon and confusing terminology (eg double negatives);
• use consistent language and methods across multiple consent options; and
• keep your consent requests concise and specific, and avoid vague or blanket wording.

What information should a consent request include?

Consent must be specific and informed. You must as a minimum include:

• the name of your organisation and the names of any other controllers who will rely on the consent – consent for categories of third-party controllers will not be specific enough;
• why you want the data (the purposes of the processing);
• what you will do with the data (the processing activities); and
• that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

This is separate from the transparency requirements of the right to be informed. You must also make sure you give individuals sufficient privacy information to comply with their right to be informed, but you don’t have to do this all in the consent request and there is more scope for a layered approach.

There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of controllers, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.

If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.

You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide clear and comprehensive privacy information, but – as noted above – this is different from a consent request and there is more scope for a layered approach.

You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.