The ICO’s draft guidance on how consent will be understood under the GDPR says that going forward, there must be a positive opt-in. Consent should be separate from other terms and conditions, and it should not generally be a pre-condition of signing up to a service. The GDPR specifically bans pre-ticked opt-in boxes.
The GDPR’s requirement of explicit consent requires a very clear and specific statement of consent. The ICO therefore advises the naming of any third parties who will rely on the consent. Individuals will need to be offered an opportunity to easily withdraw consent. Organisations should also keep evidence of consent – how it has been obtained, when, etc.
The draft guidance is open for comment and the quickest way to submit views is to use the ICO’s prepared form. The ICO says that it is provisionally aiming to publish the guidance in May 2017, although this timescale may be affected by developments at European level.
The consultation closes on 31 March. See https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/