Invalid consent under GDPR – common mistakes and how to avoid them
Under the GDPR, consent must be freely given, informed, specific and unambiguous. If these requirements are not met, the consent is invalid and the processing lacks a legal basis for processing personal data. This means the processing itself may be unlawful even if the word “consent” appears in a contract or a tick box.
A common error is to rely on consent without ensuring the individual had a genuine choice and could make an informed decision. Ensuring a genuine choice is particularly important where there is an imbalance of power, for example between employer and employee, or where consent is a condition of accessing a service – which in practice makes it forced consent GDPR. Ensuring an informed decision is especially critical where the processing is complex and difficult to describe succinctly, or where purposes are not clearly defined before consent is sought. In short, valid consent must be freely given consent GDPR, reflect specific consent GDPR and demonstrate unambiguous consent GDPR.
Examples of invalid consent under GDPR
- Consent is obtained without sufficient information about what it covers (no informed, specific consent GDPR).
- The data subject feels there is no real alternative but to provide consent (a form of forced consent GDPR).
- There is no clear and accessible way to withdraw consent (breaching the right to withdraw consent GDPR).
A single tick box for consent is not enough. Consent must stand up legally under scrutiny – otherwise it can lead to administrative fines, loss of trust and, in the worst case, an order to cease processing. Organisations should also be prepared to produce evidence of consent GDPR that shows how each requirement was satisfied.
When consent fails as a legal basis for processing personal data
Review how you collect consents. Is there a genuine opportunity to say no? Does the individual receive all relevant information in plain terms? Is it easy to exercise the right to withdraw consent GDPR at any time? If the answer to any of these questions is no, your approach needs to be revised. Remember that unambiguous consent GDPR requires a clear affirmative action, not silence or pre-ticked boxes.
How, when and why consent must be documented
Having proper records in place is essential. You should be able to demonstrate exactly when, how and under what conditions consent was obtained. A tick box alone is not sufficient – your records must make clear what the individual agreed to. This is where robust evidence of consent GDPR matters. You should also review and, where necessary, refresh consents regularly, especially if the processing changes over time.
Do not forget that consent can lose its validity over time as circumstances change. Working proactively on these issues reduces the risk of regulatory action and strengthens trust among the people whose personal data you process. Consent should not merely exist; it must meet a series of requirements set out in the GDPR, including the ongoing ability to exercise the right to withdraw consent GDPR.
Getting the legal basis for processing personal data right
Consent is only one legal basis for processing personal data. Where consent cannot be freely given consent GDPR or where purposes are not specific enough, consider whether another lawful route applies. Choosing the correct basis at the outset, and documenting it, helps avoid relying on weak, unambiguous consent GDPR signals or creating the appearance of forced consent GDPR.
How we can help
At Morling Consulting, our data protection lawyers help organisations identify the correct legal basis for processing personal data and avoid processing that conflicts with the GDPR. We provide concrete advice, risk analysis and practical solutions to ensure your processing is lawful, well-reasoned and sustainable.
