Ask users for their consent
This pattern asks the user for their consent when we collect and store personal data. The pattern meets our responsibilities under the General Data Protection Regulation 2018 (GDPR) and Data Protection Act 2018 (DPA).
When to use
Use this pattern to ask the user for their consent when you collect and store personal data.
Personal data is anything that on its own, or together with other data, can identify a person.
If the data you are asking for is not needed for government to perform a specific task or function set out in law, you need to ask for consent. For example, data needed to apply or register for something.
When to not use
If the data is required for government to perform a specific task or function set out in law, you do not need to ask for consent. For example, terms and conditions – these are required so you do not need to ask for consent.
Design content that includes the terms and conditions as part of selecting a button, instead of adding in a checkbox.
How it works
Do not infer consent when someone uses a service or does nothing. Consent must be:
- freely given
- a positive action to opt-in
- clear, concise and specific
- separate from other terms and conditions
- as easy to withdraw as it is to give
Do not pre-select radio buttons and checkboxes for the user. This means the positive action would opt-out.
Consent covers all activities done for the same reason. If you use the data for more than one reason, get separate consent for each.
Ask a yes-no question
Use a single checkbox
Use more than one checkbox
For when there is more than one type of consent or consent must be separate from other terms and conditions.
We need more research. If you have asked the user for their consent, get in touch to share your research findings.