The idea of consent is one of the key facets of the 2018 GDPR legislation. Primarily, this has been a shift to ‘opt-in’ consent for data processing and cookies, rather than ‘opt-out’. The law change means personal data can only be processed under certain grounds. The most relevant one in the case of CANDDi is article (1)(a):

‘the data subject has given consent to the processing of their personal data for one or more specific purposes;’

According to the legislation, a request for consent must be ‘clear, concise and not unnecessarily disruptive’, and must be given by a_ ‘clear affirmative act’._

Things that do not constitute consent:
Pre-ticked boxes

There is, however, another condition on consent found in Article 7(3): ‘The data subject shall have the right to withdraw his or her consent at any time...’.

The law also states it must be just as easy to revoke consent as it was to give it, so the consent policy needs to be easily accessible.

When considered together it would be reasonable to conclude that consent will be valid if the website visitor is displayed an initial notice (and choice) and is able to change this, in a granular way, at a later date.

Have more questions? Contact us at or 0161 414 1080
Was this article helpful?
Thank you!