UK GDPR explainer
What Valid Consent Actually Looks Like
Consent is one of the most misunderstood ideas in data protection. Under UK GDPR it has a precise meaning — and most of the time, it isn't even the right basis at all.
In short
Under UK GDPR, valid consent must be freely given, specific, informed, and unambiguous, shown by a clear affirmative action. Pre-ticked boxes, silence, or bundled "agree to everything" terms do not count. Consent must be as easy to withdraw as to give, and the organisation must be able to prove it was obtained.
The four conditions, and why they exist
When people say a company "has consent" to use their data, they usually mean someone clicked a button at some point. Under UK GDPR, the bar is considerably higher. Consent is defined as a freely given, specific, informed and unambiguous indication of a person's wishes, expressed through a statement or a clear affirmative action. The Information Commissioner's Office (ICO), the UK regulator, treats each of those four words as a separate test that all has to be met.
Freely given means there is a real choice and no penalty for saying no — consent bundled into terms you must accept to use a service is rarely free. Specific means it covers a named purpose, not a vague catch-all. Informed means you were told who is processing your data and why, in plain language, before you decided. Unambiguous means there was a deliberate action: ticking an empty box, not failing to untick a pre-ticked one.
These conditions exist because consent is meant to give a person genuine control. If any one of them is missing, the consent is not valid — even if a box was technically clicked. That distinction is the source of most confusion, because a great deal of everyday data sharing looks like consent but would not survive these four tests.
- Freely given — a real, penalty-free choice to decline
- Specific — tied to a named, distinct purpose
- Informed — who and why, explained up front
- Unambiguous — a clear, deliberate opt-in action
- Pre-ticked boxes, silence and inactivity never qualify
Why most data use isn't actually based on consent
A common misconception is that organisations need your consent to process your personal data. In fact, UK GDPR sets out six lawful bases for processing, and consent is only one of them. The others include contract (processing needed to deliver a service you asked for), legal obligation, vital interests, public task, and legitimate interests. An organisation must pick the most appropriate basis before it starts processing — and it cannot quietly switch later.
This matters because the basis an organisation relies on changes the rights you can exercise. Where processing relies on consent, you generally have the right to withdraw it. Where it relies on legitimate interests, you instead have the right to object and have your objection weighed. Knowing which basis applies is the first step to understanding what you can actually ask for.
Many businesses in the wider data economy — including data brokers who compile and trade profiles — tend to rely on legitimate interests rather than consent. That is a factual feature of how the ecosystem is structured, and it is one reason "I never agreed to this" and "this is unlawful" are not the same statement. Understanding the difference is what lets you frame a request that actually fits the situation.
Consent you can withdraw — and what that means for your data rights
Valid consent is not a one-way door. UK GDPR requires that withdrawing consent be as easy as giving it, and an organisation has to tell you about that right before you consent. Withdrawal does not undo processing that already happened lawfully, but from the moment you withdraw, that particular processing should stop unless another lawful basis genuinely applies.
Organisations also carry the burden of proof. If they rely on consent, they must be able to demonstrate that a specific person consented, to a specific thing, at a specific time. Vague claims of blanket consent are exactly what the four conditions are designed to expose. This is useful to know, because it means you are entitled to clarity about what you supposedly agreed to.
Whatever the lawful basis, you keep a set of standing rights — including the right to ask an organisation what personal data it holds about you through a Subject Access Request, and to ask for it to be corrected or, in some cases, deleted. Seeing your own footprint clearly is often the first practical step before deciding which request fits. OSINTA is a self-only tool that helps you understand your own digital footprint and prepare your own data-rights requests; you remain the person who decides what to send. This article is general information about UK data protection, not legal advice — for advice on your specific situation, consult a qualified professional.
Frequently asked questions
Does a company always need my consent to use my data?
No. Consent is only one of six lawful bases under UK GDPR. Organisations can also rely on contract, legal obligation, vital interests, public task, or legitimate interests, and must choose the most appropriate one before processing. Much everyday data use is based on something other than consent.
Is a pre-ticked box valid consent?
No. UK GDPR requires a clear affirmative action, so pre-ticked boxes, silence, default settings, or simply continuing to use a service do not count as valid consent. The person has to take a deliberate step to opt in for the consent to be valid.
Can I withdraw consent once I've given it?
Yes, where the processing genuinely relies on consent. UK GDPR says withdrawing must be as easy as giving it. Withdrawal doesn't reverse past lawful processing, but that processing should stop afterwards unless another lawful basis truly applies.
If I never consented, is the processing automatically unlawful?
Not necessarily. If the organisation relies on a different lawful basis, such as legitimate interests, processing can be lawful without your consent. In that case you generally have the right to object rather than to withdraw, and the organisation must weigh your objection.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Know your basis, then make your request
Once you understand which lawful basis applies, the next step is asking an organisation what it holds about you. Our DSAR guide walks through exactly how.