4 min read

Writen by Zlatko Delev

Posted on: August 10, 2021

How should you write a consent request and what information it should contain?

How should you write a consent request?

Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

Article 7(2) says:

“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”

You should:

  • keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
  • use clear, straightforward language;
  • adopt a simple style that your intended audience will find easy to understand – this is particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
  • avoid technical or legal jargon and confusing terminology (eg double negatives);
  • use consistent language and methods across multiple consent options; and
  • keep your consent requests concise and specific, and avoid vague or blanket wording.

What information should a consent request include?

Consent must be specific and informed. You must as a minimum include:

  • the name of your organisation and the names of any other controllers who will rely on the consent – consent for categories of third-party controllers will not be specific enough;
  • why you want the data (the purposes of the processing);
  • what you will do with the data (the processing activities); and
  • that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

This is separate from the transparency requirements of the right to be informed. You must also make sure you give individuals sufficient privacy information to comply with their right to be informed, but you don’t have to do this all in the consent request and there is more scope for a layered approach.

There is a tension between ensuring that consent is specific enough and making it concise and easy to understand. In practice this means you may not be able to get blanket consent for a large number of controllers, purposes or processes. This is because you won’t be able to provide prominent, concise and readable information that is also specific and granular enough.

If you do need to include a lot of information, take care to ensure it’s still prominent and easy to read.

You may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. If you use another basis, you will still need to provide clear and comprehensive privacy information, but – as noted above – this is different from a consent request and there is more scope for a layered approach.

You could also consider using ‘just-in-time’ notices. These work by appearing on-screen at the point the person inputs the relevant data, with a brief message about what the data will be used for. This will help you provide more information in a prominent, clear and specific way to ensure that consent is informed. However, you will need to combine the notices with an active opt-in and ensure this is not unduly disruptive to the user. There’s more on methods of consent below.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy