Consent vs. Information

Understanding GDPR Requirements for Website Data Collection

In the era of the UK General Data Protection Regulation (UK GDPR), businesses operating online must navigate a complex landscape of data privacy rules and requirements. One area that often raises questions is when explicit consent is needed for data processing and when simply providing information about the processing is sufficient. This is particularly relevant for common website features such as contact forms and newsletter subscriptions.

The UK GDPR/GDPR sets out clear guidelines on when consent is required and when information alone suffices. Understanding these nuances is crucial for ensuring compliance and maintaining the trust of your website visitors. Let’s dive into the specifics.

The UK government has the authority to make its own "adequacy decisions" regarding the level of data protection provided by other countries or international organizations, which may differ from the adequacy decisions made by the European Commission.

Contact Forms

When a user submits their personal information through a contact form on your website, you are processing their data for the purpose of responding to their inquiry or request. In this scenario, explicit consent is generally not required under GDPR.
The legal basis for processing this data falls under the “legitimate interests” provision of the GDPR. Your legitimate interest is to communicate with potential customers or clients who have reached out to you. However, you must still provide clear information about how this data will be processed.
This information should cover details such as:
• The types of personal data collected (e.g., name, email, message content)
• The purpose of the data processing (responding to the inquiry)
• The retention period for the data
• Any third parties involved in processing the data (if applicable)
• The user’s rights regarding their data (access, rectification, erasure, etc.)
It’s important to provide this information in a clear and accessible manner, such as through a privacy policy or notice prominently displayed near the contact form..

Paper Form

If your clients fill out a form at your company, such as if you are a masseur or a photographer, and you choose not to provide services when the client visits your salon, please remember that this form must include a mention of how their personal data will be processed.

Do you need to obtain consent for this processing, or will providing information be sufficient? How should this be addressed on your form? The timing of attaching the content of the “Privacy Notice” or printing its provisions and displaying them at your company’s headquarters depends on several factors.

If you decide to utilize our service, we will handle everything to ensure that you are fully compliant.

Newsletter Subscriptions

Unlike contact forms, newsletter subscriptions typically require explicit consent from the user under GDPR. This is because the processing of personal data (usually an email address) for marketing purposes, such as sending promotional newsletters, is not considered a “legitimate interest” under the regulation.

To obtain valid consent, you must:

  1. Present a clear, affirmative opt-in action for the user, such as an unchecked checkbox or a separate subscription form.
  2. Provide specific, unambiguous information about what the user is consenting to, such as receiving marketing communications or a newsletter from your organization.
  3. Ensure the consent is freely given, without any deception, intimidation, or coercion.
  4. Allow users to withdraw their consent as easily as they gave it.

It’s important to note that pre-ticked boxes or assumed consent through inaction (e.g., failing to uncheck a box) do not constitute valid consent under GDPR.
In addition to obtaining consent, you must also provide clear information about the data processing, similar to the requirements for contact forms. This includes details about the types of data collected, the purposes of processing, data retention periods, and the user’s rights.

Combining Consent and Information

In some cases, you may need to combine both consent and information requirements.

For example, if you plan to use the email addresses collected through your newsletter subscription for additional purposes beyond sending the newsletter itself (such as targeted advertising or profiling), you would need to obtain separate consent for those additional processing activities.

Transparency is key when it comes to GDPR compliance. By providing clear, accessible information about your data processing practices and obtaining valid consent when required, you demonstrate respect for your website visitors’ privacy rights and build trust in your brand.

Remember, the specific requirements and best practices may vary depending on the nature of your website, the types of data collected, and the purposes of processing. It’s always advisable to consult legal experts or data protection authorities for guidance on ensuring full GDPR compliance for your online operations.

Consent and Age Considerations

When obtaining consent for processing personal data from website users, it’s crucial to consider their age, as minors may have additional protections and requirements under the GDPR and local laws.

In most European countries, the age limit for providing valid consent is 16 years old. However, in the United Kingdom, this age limit is set at 13 years old. If your website is aimed at or likely to be accessed by users under these age thresholds, you must take additional measures.

If your website targets children, you should provide a dedicated form or mechanism for parents or legal guardians to provide consent on behalf of their children for the processing of their personal data. This consent must be verifiable and given through an affirmative action, such as completing and submitting an online form.

It’s important to note that you cannot rely on the consent provided by a child below the age limit, even if they have attempted to provide it themselves. Clear information about the data processing activities should also be provided in a manner that is understandable for both children and their parents or guardians.

Providing User Control and Exercising Rights

Providing User Control and Exercising Rights
In addition to obtaining valid consent when required, it’s essential to provide website users with easy-to-use mechanisms for exercising their rights under the GDPR.

This includes the ability to:

  1. Unsubscribe from newsletters or marketing communications: Offer a clear and accessible unsubscribe link or form within each newsletter or marketing email you send. This should allow users to withdraw their consent for receiving future communications with a single click or submission.
  2. Withdraw consent for data processing: Provide a dedicated form or mechanism that allows users to withdraw their previously given consent for the processing of their personal data. This should be as easy to access and use as the initial consent mechanism.
  3. Exercise data subject rights: Under the GDPR, individuals have various rights regarding their personal data, including the rights of access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing. Offer user-friendly forms or online portals where individuals can submit requests to exercise these rights.
    When users submit requests to exercise their rights, it’s crucial to have processes in place to verify their identities, document the requests, and respond within the timeframes specified by the GDPR (typically one month, with potential extensions in complex cases).

By providing these mechanisms, you empower website users to maintain control over their personal data and demonstrate your organization’s commitment to upholding their privacy rights. Clear instructions and guidance should accompany these tools to ensure users understand how to effectively exercise their rights.

Regularly reviewing and updating your consent and user control mechanisms is also advisable, as data protection laws and best practices may evolve over time. Seeking legal guidance or consulting with data protection authorities can help ensure your processes remain compliant and user-friendly.

If you are the owner of a website or a mobile application and want to create a Privacy Policy that will comply with the law – our website: “Online Business” may be useful.

If you are the owner of a website or mobile application and you are not sure whether the Privacy Policy published by you is lawful – our service: “UK GDPR Consultation” may be useful.

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner