Blog | Clym

What Are the Different Types of Consent?

Written by Alex Margau | 7 February 2023

One of the trickiest aspects of data privacy across the globe is the way businesses acquire and manage the consent of data subjects before collecting and/or processing their personal information. The reason behind this is many sided, including consent mechanisms, audit ready consent data, or simply understanding the concept itself. 

Defined by Article 4 of the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,” consent seems to be quite a straightforward notion to grasp. Put simply, as a business that collects and/or processes personal information of individuals, you need their permission or agreement to do either one or both of these actions against their personal information, and said permission of every individual has to be granted in such a way that at any given moment you are able to prove your compliance to the data protection authority under whose jurisdiction you operate.

The tricky part comes when you find that consent can be split into a few types, which is why we’re offering you a brief description of the two types of consent we’ve identified across data privacy regulations currently in force.  

Express or Explicit Consent:

This type of consent refers to the definition provided by the GDPR, as well as other data privacy laws in the world, namely, it is an unambiguous expression of an individual’s wishes, following their being informed of all the relevant details regarding the collection and processing of their personal data. When encountering the definition of consent in data protection laws, the general understanding of the term is that of express or explicit consent, manifested by the individual in a form that can be proven later on. For example, most data privacy regulations require you to inform individuals of the processing purposes of your business’ activity through the use of a cookie banner that displays the types of cookies and/or scripts running on your website, the types of data collected, and so on. An individual’s choice to click on an “Accept All” button in the cookie banner would generate a consent receipt you would later on be able to show as proof of express or explicit consent obtained.

Implicit or Deemed consent:

This type of consent leaves room for your business to proceed with its activity if the individual has either performed an action, or refused to perform any action, following their being informed of all the relevant details regarding the collection and processing of their personal data, and as a result of either one of these instances, consent may be reasonably inferred. Healthcare professionals make use of this type of consent in medical emergency situations, for example. In data privacy, if we refer to the example mentioned above, if the individual, following the display of the cookie banner, does not decline the use of cookies, but also does not click on an “Accept All” button in the cookie banner, it is considered that their consent is implicit or deemed. In this case, the action of not manifesting any choice equals to a ‘consent given by not opting out.’ However, this leaves behind no actual consent receipt, making this type of consent risky for businesses. 

In light of all of the above, and especially considering the tricky nature of implied or deemed consent, it is considered as a best practice for your business to ensure that it obtains express or explicit consent from individuals, because verbal consents or those expressed by inaction cannot be proven in the event of a data privacy audit and may result in penalties.

The various data privacy laws that are currently in place across the world agree on the mandatory requirement of obtaining consent but not all of them provide a specific distinction between the two types of consent we’ve discussed above. One law, however, that does distinguish between the two is British Columbia’s Personal Information Protection Act (PIPA-BC), which you can read more about on our Regulations page.