What is explicit consent? 

Explicit consent, sometimes referred to as express consent, is a type of consent that is freely given. It’s usually stipulated in laws regarding how organizations obtain an agreement to a contract from an individual, or data subject, or the collection and handling of their personal information. 

What is explicit consent vs implicit consent 

While they sound similar, the terms “explicit consent” and “consent” aren’t interchangeable. 

Explicit consent 

Explicit consent, or express consent, requires organizations to clearly inform a data subject about the provisions of the agreement being made and to obtain a positive indication of their agreement through clear affirmative action.

Affirmative action could be given in the form of:

  • Written statements
  • Electronic signatures
  • Online forms
  • Emails

Implicit consent 

Implicit consent, also referred to as implied consent or inferred consent, is consent that isn’t expressly given by the data subject. It can be obtained through actions or situations that imply the agreement of the individual. It can, therefore, be left up to interpretation. 

Explicit consent GDPR 

The General Data Protection Regulation (GDPR) does not directly mention or define explicit consent. However, the GDPR definition of consent, called valid consent, has the same prerequisites. Consent must be informed, given freely, obtained through clear affirmative action, and demonstrable. 

According to Article 4 of the GDPR: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Article 7 of the GDPR also states that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

When explicit consent is required

The GDPR requires organizations that process data, referred to as data controllers, to obtain explicit consent, referred to as consent or valid consent, in situations that pose a serious data protection risk to an individual or that require a high level of data processing. 

Situations requiring explicit consent include:

Processing of special categories of data

According to the GDPR, the processing of sensitive personal information, such as race and ethnicity, genetic and biometric data, political views, religious and philosophical beliefs, and trade union membership is prohibited. 

Automated individual decision-making, including profiling

Explicit consent is one of only three situations where automated decision-making is GDPR-compliant. In this case, the organization is required to protect the rights and legitimate interests of the data subject, provide human intervention on the part of the data controller, and the data subject to contest decisions. 

Data transfers to third countries or international organizations

Transferring data to a third country or international organization doesn’t require consent as long as they provide an appropriate safeguard for the data subject. However, if such safeguards are not available, the transfer of data is still possible if explicit consent is provided. 

Demonstrating explicit consent

The GDPR requires data controllers to demonstrate compliant consent, meaning that the data controller must be able to prove consent was given through clear affirmative action. While the GDPR doesn’t outline methods for proving consent, methods that can’t easily be proven, such as oral consent, likely won’t be compliant. 

Explicit consent in other laws 

UK GDPR

Similar to the EU GDPR, the UK GDPR doesn’t use the term “explicit consent.” Instead, it applies a strict definition of consent that is functionally the same as explicit consent. It requires obtaining consent from a data subject that is informed and freely given through affirmative action. 

PIPEDA

While the Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t define the term “explicit consent,” it does require organizations to obtain “express consent” when processing sensitive information, if the handling of the data is outside the reasonable expectations of the individual, or it poses significant residual risk or harm. 

CCPA (CPRA)

The California Consumer Privacy Act (CCPA) also does not require organizations to receive explicit consent to collect or process personal information. 

Updated on: July 28, 2023

Is this article helpful?
YesNo
Scroll to Top