Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Key points at a glance
- What is “implied consent” - and why is it a problem?
- What UK GDPR actually requires
- PECR, cookies and e-marketing - the other half of the story
- Six lawful bases - consent is not the only option
- Common mistakes we see
- Children’s consent
- How to make consent compliant in practice
- What if consent goes wrong?
- Quick audit - where to look first
- Speak to a lawyer early
- Key takeaways
- Need help?
There’s a common belief that you can “assume” people’s consent because they keep using your website, stay silent, or don’t untick a box. In reality, that approach puts you on the wrong side of UK GDPR and PECR. Here’s what implied consent really means, why it’s risky, and how to fix your processes fast.
Key points at a glance
- “Implied” or “assumed” consent is not valid for most processing under UK GDPR. Consent must be a clear, informed, freely given and unambiguous opt in.
- Silence, inactivity or continued browsing is not consent. Pre-ticked boxes are not consent.
- There are six lawful bases for processing. Consent is only one - and often not the best choice.
- Non-essential cookies and most direct e-marketing need GDPR-standard consent under PECR rules.
- Keep records of what was consented to, when, how, and make withdrawal as easy as giving consent.
- Fines, enforcement and reputational damage are real risks if you get this wrong.
What is “implied consent” - and why is it a problem?
Implied consent is where a business infers agreement from behaviour like continuing to browse, not ticking an opt-out box, or staying silent after a notice. Under UK GDPR, consent requires a clear affirmative action. Guesswork is not your friend. If you are relying on “they didn’t say no”, you are almost certainly offside.What UK GDPR actually requires
Consent under UK GDPR must be:- Freely given - no pressure, bundling or making access conditional when it doesn’t need to be.
- Specific - tied to a clear, stated purpose.
- Informed - explained in plain language at the point of choice.
- Unambiguous - a clear opt in by affirmative action.
- Documented - you must be able to show when, how and what was agreed.
PECR, cookies and e-marketing - the other half of the story
Beyond GDPR, the Privacy and Electronic Communications Regulations (PECR) set rules for non-essential cookies and direct electronic marketing.- Cookies - non-essential cookies require prior consent that meets the GDPR standard. “By continuing to browse you consent” banners, default-on categories, or hard-to-find reject options are not compliant. Provide equal prominence to accept and reject, and no tracking before choice.
- Direct marketing - sending marketing by email or text generally needs prior consent that meets the GDPR standard. There is a narrow soft opt-in for existing customer relationships where the product is similar, you obtained details during a sale or negotiations, and every message includes an easy opt-out.
Six lawful bases - consent is not the only option
Choose the right basis for each purpose:- Performance of a contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
- Consent
Common mistakes we see
- Pre-ticked boxes or opt-out sliders for newsletters.
- Cookie banners that set non-essential cookies before any choice is made.
- One “all channels” consent for email, SMS and calls instead of separate choices.
- Burying consent in long T&Cs, or making unsubscribe difficult.
- Re-using old consents for new purposes without asking again.
Children’s consent
For online services directed to children, the UK age of digital consent is 13. If you rely on consent for children under 13, you generally need parental authorisation. If your product touches under-18s, build this into your consent flows and age-assurance approach.How to make consent compliant in practice
- Use plain language - state the purpose, the data, and who you share it with, in simple terms.
- Make it granular - separate consents for separate purposes and channels.
- Capture affirmative action - unticked boxes, “accept” buttons and similar positive steps.
- Offer a real choice - equal prominence for accept and reject. No nudging or dark patterns.
- Record everything - who consented, when, how, what they were told, and for which purpose.
- Make withdrawal easy - visible unsubscribe links and simple account settings. No friction.
- Review regularly - refresh consent if your purpose changes or wording is updated.
- Gate cookies correctly - do not set non-essential cookies until consent is given.
What if consent goes wrong?
Regulators expect you to pick the correct lawful basis and prove your compliance. Risks include fines, enforcement notices, audits, class actions, and lasting damage to customer trust. It is far cheaper to get this right up front than to fix it after an ICO complaint.Quick audit - where to look first
- All lead capture forms and newsletter sign-ups
- Cookie banner logic and category defaults
- CRM consent records and preference centres
- Transactional vs marketing communications separation
- Processes for handling opt-outs and deletion requests
Speak to a lawyer early
It is best to speak with a lawyer before problems arise. Sprintlaw can review your consent language, cookie banner, and privacy notices, check you are using the right lawful bases, and put in place policies so your team stays compliant day to day. Getting advice now protects you from complaints later - and builds trust with your users.Key takeaways
- Do not rely on implied consent. Use clear, opt-in, purpose-specific choices.
- PECR adds extra rules for cookies and e-marketing - build them into your flows.
- Keep auditable records of consent and make withdrawal effortless.
- Pick the correct lawful basis for each purpose - consent is not always right.
- Review wording and settings regularly as your product and data use evolve.
