GDPR Countdown 2: How to get consumer consent and when is it required?

Share on twitter
Share on linkedin
Share on facebook

In today’s article, part 2 of our countdown to GDPR on May 25, we look at what the European Union General Data Protection Regulation (GDPR) says about consumer consent. For a discussion of when the GDPR can apply to Australian businesses see

consumer consent


By Dr Drew Donnelly, Compliance Quarter.
  1. Consent Defined

The definition of consent in article 4(11) of the GDPR provides that it be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Compared to the existing EU data protection rules, and the definition in the Australian Privacy Act 1988, there is a greater emphasis in the GDPR consent definition on positive action from the data subject.

  1. Implementing Meaningful Consent

In implement the new definition of consent, draft guidance from the UK Information Commissioner is useful.[1] This guideline provides that consent should be

  • For example, a request for consent to send marketing emails should be separated from other terms and conditions. It should not be a pre-condition to a service;
  • Active opt-in. This means no pre-ticked opt-in boxes. An organisation could instead use unticked opt-in boxes or other active methods such as binary choice;
  • Organisations should give ‘granular’ options, allowing a data subject to consent separately to different types of processing (if there will be different types of processing) wherever appropriate;
  • The organisation should be named as well as any third parties who will be relying on the consent;
  • Organisations should keep records to demonstrate that the individual has consented to, including what they were told, and when and how they consented;
  • Easy to withdraw. Organisations should tell data subjects that they have the right to withdraw their consent at any time, and how to do it. It should be as easy to withdraw as it was to give consent.
  1. When is consent required?

Consent is a very important, but not the only, lawful ground for processing personal data. Under article 6(1), other grounds include where that processing is necessary for:

  • Fulfilment of a contract with the individual;
  • Compliance with a legal obligation;
  • Vital interests. You can process personal data if it’s necessary to protect someone’s life;
  • An official public function. if you need to process personal data to carry out your official functions or a task in the public interest;
  • Legitimate interests. If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. Organisations should take special care before processing data on this ground. Recital 47 to the GDPR states “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

If you would like tailored advice as to how your organisation can update its compliance program to account for the new consent requirements, please get in contact with us.

[1] See

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *