Conditions for Consent

  • Must be able to demonstrate consent.
  • Written consent must be clear, intelligible and easily accessible.
  • Must be able to be withdrawn as easily as it was given.
  • Where consent is difficult to obtain, refer to another condition of Lawful Processing
  • If consent involves Special Categories of personal data, consent must not just be unambiguous but must be explicit, for example, checking a box that clearly states how the data will be used.

If there’s any doubt whether an individual consented or you do not have clear records indicating so, then it is not valid.

Due to these requirements, the condition of consent ought to be the last resort when deciding on your basis for lawful processing.

Children – Extra considerations

If you’re relying on consent as your basis for lawful processing, children must be aged 13 or over to give consent themselves. Otherwise consent must be from their parent or the holder of parental responsibility (unless it is for a preventive or counselling service) and appropriate measures must be in place to verify this.

This is because children may be less aware of the risks involved when signing up to an online service and therefore all privacy policies must be easy for children to read. This comes back to the 


  • For a child’s consent, age-verification measures must be implemented.
  • Reasonable efforts must be made to verify parental consent.
  • Privacy policies easy to read for the child.
  • Decisions made based on automated processing must be limited, especially if it will have a significant impact on them.
  • Carry out a Data Protection Impact Assessment (DPIA) whenever there is a concern that the processing may cause risk.

Children have the same rights as adults over their personal data. These include the right to access their personal data, object to processing, request correction or erasure.

More ICO guidance on consent here.