In the “me too” era we all know that consent is a must to have and prove, and it’s no different for processing personal data.
The Merriam Webster Dictionary explains the term ‘consent’ as “compliance in or approval of what is done or proposed by another.” So, in the privacy context that would mean you need to explain first to your data subject what personal information of them you would like to process and for what purpose, what third parties you might share the data with, how long you’ll store it, etc.. Then you ask for consent for the aforementioned.
The GDPR states 6 bases for processing personal data lawfully. You must have at least one of these bases covered, or else you cannot process the personal data.
One of the bases is ‘consent’. Data subjects must have given consent to the processing of their personal data for one or more specific purposes. That means that when you ask for consent you need to provide information about what you’re going to use their data for. And, hopefully this speaks for itself, you cannot use/process the data for any other purpose than what was agreed upon.
Opt-in means that someone has to actively choose to give consent. If you have a pre-ticked box that means they didn’t actively consent, and further processing of the data is considered unlawful and could result in penalties. Pre-ticked boxes are major no-no’s! I suppose I shouldn’t be surprised still seeing so many pre-ticked boxes everywhere, but I am. So be warned, no pre-ticked boxes, repeat after me: no pre-ticked boxes! And feel free to complain and/or inform websites/organizations who still use them.