Consent is a complex issue – for a start it’s only one of several legal reasons for processing (necessity, compliance and legitimate interests of the controller being others).
Where required consent must be freely-given, clear and in plain language suitable for the intended audience. The purposes for which consent is being gained must be open and transparent.
Consent should be given by “a clear affirmative act” – for example this could include ticking a box or choosing settings. Silence, pre-ticked boxes or inactivity should never constitute consent.
Nowhere does the Regulation mandate what precise form consent must take – only that it must satisfy the criteria above.
This is not a very satisfactory situation as clear advice is what we all need – so we expect the supervisory authorities to make this clearer in due course.
It’s also important to remember that there are other regulations (such as PECR which is also being reviewed in the light of GDPR) that can also determine the form that consent might have to take and that these should also be considered.
This is an excerpt from our whitepaper "25 Real Questions and Their Answers about GDPR" which is available from the DataIQ website here.