Collecting personal information - how to ask for consent
What is consent?
Sometimes we need to ask individuals to give their permission, or consent, for their personal information to be collected or used. Consent is one of the legal grounds for processing personal information. The advice on this page applies wherever you are collecting information about individuals: on web pages, in surveys, online or printed forms, or mailing lists.
When we ask for consent is is important that it is:
informed - you need to explain why you need the information and how you will use it
freely given - you mustn't pressurise people into giving their consent
unambiguous - if you are doing different things with the personal data you need to ask for consent separately for each use
opt-in - consent should be given through someone doing something (like ticking a box) and not through failing to do something (like unticking a box or replying to an email)
Always use straightforward language that is appropriate to your audience.
Only collect information you really need.
Think about whether it's possible to collect general information instead of very specific information. If age is relevant, for example, think about whether you really need a full date of birth, or whether an age range, or a statement about age ("I am over over 18") is enough.
Avoid asking everyone the same questions if they aren't all relevant to everyone. If you are using an online form think about having extra boxes for questions that only appear for certain groups. Or collect further information separately only form the specific group it is relevant to.
Make it clear what information is mandatory and what is optional.
Designing your form
Start with an opening statement
It's always useful to open with a simple statement to reassure people about how their personal information will be used. There are no specific words you need to use and you should use the same "voice" for this statement as you do for the rest of your information to your participants.
Here are some examples of potential wording:
Use opt-in checkboxes
An easy way to collect consent is to offer boxes for people to tick. Boxes must not be pre-ticked, and the tick should be to opt in, not to opt out.
It's important to present a separate tick box for each activity. So, for example, if you survey people who have participated in an event or activity and would like to get their permission to use quotes from their responses to advertise the event to others, to sign them up for your mailing list advertising further events, and to enter them into a prize draw then that should be three separate tick boxes.
Try to be specific about what you are asking people to sign up for. This is so that the consent is informed. So instead of having a tick box for "I'd like to be added to your mailing list" or "I'd like to hear more about events" you could say "I'd like to receive your monthly email newsletter". or "I'd like to hear more about other events on this topic".
If you are offering an incentive like entry into a prize draw then that should be open to everyone, not just those who agree to sign up for marketing.
Let people change their minds
You must allow people to withdraw consent if they change their mind. Let them know this at the time. The process should be simple and easy. If you are sending out marketing emails you should include a reminder about opting out with each email sent.
Don't assume that consent is valid forever. If the consent is for ongoing activity you may need to refresh consent from time to time, and keep records of what consent was given, by whom and when.
When there is no choice
Consent must be freely given, and that means it must also be possible to refuse consent.
So if there is some information you have to have in order to be able to provide a service to someone, and if they refuse to share that information that leaves you unable to provide the service, then you don't need to ask for consent.
For example, if you are running an event through Zoom you will be sending a link out to email. It's not possible for someone to attend without sharing their email, so you don't need to ask consent because the legal basis is contract (there isn't a written contract. The contract is an agreement that they will provide their email address and you will provide the event through Zoom).
Instead of asking for permission for information that is necessary for you to provide the service you can have a statement for the individual to agree to. For example "I understand that you will use my email address to send me the link to the Zoom event".
Don't forget that you might still need consent for part of your activity. In our Zoom example you don't need consent to email the link for the event but you will still need permission to add their email address to your marketing list, because it's perfectly possible to invite people and for people to attend without them joining your mailing list. Don't forget it has to be opt in! Example wording might be "Please add me to your mailing list to receive monthly updates on Zoom events".
Use clear straightforward language
Include links to relevant privacy policies
Only ask for information you really need
Get active opt in
For marketing opt-ins let contacts choose content, channel and frequency as appropriate
Keep consent separate from other messages
Always explain how to withdraw consent or unsubscribe
Keep a record of consent – who , when, how and what you communicated
Keep consent under review and refresh wording if anything changes
Don't ask for consent unless it's possible for people to refuse