Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.
Article 7(2) says:
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
You should:
Consent must be specific and informed. You must as a minimum include:
This is separate from the transparency requirements of the right to be informed. You must also make sure you give individuals sufficient privacy information to comply with their right to be informed, but you don’t have to do this all in the consent request and there is more scope for a layered approach.
There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of controllers, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.
If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.
You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide clear and comprehensive privacy information, but – as noted above – this is different from a consent request and there is more scope for a layered approach.
You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.