GDPR consent and lawful basis: what UK organisations need to know

A practical guide to the seven lawful bases under UK GDPR, the conditions for valid consent, the new recognised legitimate interests basis introduced by the DUAA 2025, and the rules for children's consent.

Every processing activity under UK GDPR needs a lawful basis. There are now seven of them, after the Data (Use and Access) Act 2025 added "recognised legitimate interests" to the original six. Consent is one of those bases — and the one with the strictest conditions — but it is not always the right choice, and choosing it where it isn't appropriate creates more compliance risk than it solves.

This guide covers the seven lawful bases, when to use each, the conditions for valid consent, the new recognised legitimate interests basis, and the rules for processing children's data.

The 7 lawful bases of UK GDPR

Article 6 of the UK GDPR sets out the lawful bases for processing personal data. Until 2025, there were six. The Data (Use and Access) Act 2025 added a seventh — recognised legitimate interests — under Article 6(1)(ea). The full list is now:

1. Consent — the individual has given consent to the processing for one or more specific purposes.
2. Contract — processing is necessary for the performance of a contract with the individual, or to take steps at the individual's request before entering into a contract.
3. Legal obligation — processing is necessary for compliance with a legal obligation to which the controller is subject.
4. Vital interests — processing is necessary to protect the vital interests of the data subject or another person.
5. Public task — processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
6. Legitimate interests — processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where overridden by the interests, rights, and freedoms of the individual.
7. Recognised legitimate interests — processing is necessary for a specific list of public-interest purposes set out in Schedule 4 of the DUAA, including crime prevention, safeguarding, emergency response, and national security.

No basis is more important than the others. The right basis depends on the relationship with the individual, the purpose of the processing, and the practical context. You should identify and document the basis before processing begins, and the choice will normally appear in your privacy notice.

For special category data, you need both an Article 6 basis and a separate Article 9 condition. For criminal offence data, you need a condition from Schedule 1 of the Data Protection Act 2018.

When to use each basis

A few rules of thumb. None of them are absolute — your circumstances may pull a different way — but they reflect how the bases are most commonly applied.

Consent is appropriate when you genuinely want to give the individual a real choice, the choice isn't tied up with the provision of a service, and you can demonstrate the individual freely agreed. Marketing communications, optional cookie tracking, and processing of special category data in research contexts are typical examples.

Contract fits when the processing is genuinely necessary to perform a contract the individual is party to. Sending an order confirmation is contract; sending a "we noticed you abandoned your basket" email is not — that's marketing, which needs a different basis.

Legal obligation applies when the law specifically requires you to process the data. Keeping tax records to satisfy HMRC, reporting suspicious transactions to the National Crime Agency, fulfilling a court order. The obligation must be specifically stated in UK law, not just a general expectation.

Vital interests is narrow. It covers life-or-death situations — passing a patient's medical details to A&E, sharing information that prevents physical harm. It is rarely the basis for routine processing.

Public task is for public authorities and bodies performing tasks set out in law. A local council processing council tax data, a school administering admissions, an NHS trust running clinical services.

Legitimate interests is the most flexible basis and the one most commonly used in commercial contexts. It applies when you have a genuine interest in processing the data, the processing is necessary to achieve it, and your interests are not overridden by the individual's interests, rights, or freedoms. The choice requires a documented assessment — a Legitimate Interests Assessment, or LIA — that walks through purpose, necessity, and balancing.

Recognised legitimate interests is the new DUAA basis. It removes the need for an LIA, but only for a narrow list of specific public-interest purposes. Most commercial use cases will still rely on standard legitimate interests with a full LIA. The RLI basis is discussed in detail below.

Conditions for valid consent

Consent has the strictest conditions of any lawful basis. Article 4(11) and Article 7 of the UK GDPR, read with Recitals 32, 42, and 43, set out the requirements. Consent must be:

Freely given

The individual must have a genuine choice. If refusing consent would deny them a service or disadvantage them, consent is not freely given. This is why "consent" buried in a terms-and-conditions document, or tied to access to a website, generally fails. It is also why employer-employee consent rarely works — the power imbalance makes it hard to argue the employee has a free choice.

Specific

Consent must be for a specific purpose. Lumping multiple purposes together — "we may use your data for marketing, analytics, research, and other purposes" — is not valid consent. Each purpose needs its own opt-in.

Informed

The individual must understand what they are consenting to. The purpose, the controller's identity, the type of data, and the right to withdraw must all be clear before consent is given.

Unambiguous

The agreement must be clear. Silence, inactivity, or pre-ticked boxes do not count. The Planet49 case at the CJEU confirmed that pre-ticked checkboxes are not valid consent under GDPR — a position the UK has retained.

A clear affirmative action

Ticking an unchecked box, clicking an explicit "Accept" button, signing a form. The action must be unmistakeable.

You also need to be able to demonstrate that consent was obtained. Records of when consent was given, what the individual was told, and the form of agreement are part of the accountability requirement.

Explicit consent

Articles 9(2)(a) and 22 of the UK GDPR sometimes require explicit consent — a higher standard than ordinary GDPR consent. Explicit consent typically requires a clear statement of agreement, often through a tick box with specific opt-in wording or a written declaration.

Explicit consent is required for:

• Processing of special category data, where consent is the chosen Article 9 condition.
• Solely automated decisions producing legal or similarly significant effects, where consent is the chosen exception.
• International transfers to a third country without other appropriate safeguards, under Article 49(1)(a).

The practical implication: where you process health information, biometric data, or other special category data on the basis of consent, you need a specific opt-in that names the special category and the purpose. A generic privacy consent does not satisfy the explicit consent standard.

Withdrawing consent

Article 7(3) gives individuals the right to withdraw consent at any time, and requires that it must be as easy to withdraw as it was to give. If you obtained consent through a single click, withdrawal cannot require a phone call, a written letter, or three weeks of waiting.

Withdrawal does not affect processing carried out before the withdrawal — the earlier processing remains lawful. But from the point of withdrawal, the controller must stop processing on the consent basis and either find another basis or delete the data.

Where consent is the only basis you rely on and the individual withdraws it, you generally need to delete the data. Trying to switch to legitimate interests after the individual has withdrawn consent is almost never defensible.

Consent for children

Children deserve specific protection because they may be less aware of the risks and consequences of data processing. UK GDPR's headline rule is in Article 8: where information society services are offered directly to a child, consent for the processing of personal data is only valid if the child is at least a specified age — and a younger child needs parental consent.

The default age set by EU GDPR is 16. UK law set a lower age in the Data Protection Act 2018: in the UK, the age at which a child can give their own consent for information society services is 13. Below that, parental consent is required, and the controller must take reasonable efforts to verify it.

The DUAA codified additional obligations around online services likely to be accessed by children — the "children's higher protection matters" — requiring controllers to take account of children's needs when designing those services. This formalises what was previously the ICO's Age Appropriate Design Code.

A common pitfall: thinking children can consent in their own right regardless of context. Article 8 only deals with consent for information society services; for other processing of children's data, consent (or another basis) needs to be assessed by reference to the child's capacity to understand. In practice, the safer approach for most processing is to obtain parental consent until the child is older.

Recognised legitimate interests (RLI)

The Data (Use and Access) Act 2025 introduced a seventh lawful basis under Article 6(1)(ea) of the UK GDPR: recognised legitimate interests. It applies to a specific list of public-interest purposes set out in Schedule 4 of the DUAA, including:

• Crime prevention and detection.
• Safeguarding vulnerable people.
• Responding to emergencies.
• Safeguarding national security.
• Assisting other bodies in carrying out public-interest tasks set by UK law.

The key advantage of RLI is that it removes the need for a Legitimate Interests Assessment. The legislation has done the balancing test for these specific purposes — you don't need to demonstrate that your interests aren't overridden by the individual's rights, because Parliament has already decided that the public interest in these purposes is sufficient.

The key limitation is that the list is narrow. Most commercial processing will still rely on standard legitimate interests under Article 6(1)(f), with a full LIA. RLI is not a general-purpose alternative to consent or contract.

The DUAA also added clarification — though not as a new lawful basis — that direct marketing can in principle be a legitimate interest under Article 6(1)(f). This codifies a position the ICO had already adopted in guidance: direct marketing to existing customers can be a legitimate interest, subject to the standard LIA balancing test and the soft opt-in rules under PECR.

For more on where RLI fits in the wider regime, see our UK GDPR vs EU GDPR guide.

Common consent mistakes

A few patterns to avoid:

• Pre-ticked boxes. Not valid consent. Removed by the Planet49 ruling and still the position under UK law.
• Cookie walls. Forcing users to consent to cookies to access a website usually fails the "freely given" test under the ICO's position.
• Bundled consent. Asking for one consent to cover marketing, analytics, third-party sharing, and "other purposes" all at once. Each purpose needs its own opt-in.
• Hard-to-withdraw consent. Article 7(3) requires withdrawal to be as easy as the original consent. A click to opt in cannot require a letter to opt out.
• Consent for processing that doesn't need it. If you have a legitimate interests basis that genuinely applies, choosing consent instead exposes you to withdrawal risk you didn't need.
• Treating consent as permanent. Consent given in the past may no longer be valid if circumstances have materially changed, or if the original consent fell short of the current standard.

For broader context, see our hub guide to UK GDPR and our seven principles guide. For cookie consent specifically, which has its own rules under PECR, see our cookie consent guide.

Frequently asked questions

How many lawful bases are there under GDPR?

Seven, following the Data (Use and Access) Act 2025. The original six were consent, contract, legal obligation, vital interests, public task, and legitimate interests. The seventh — recognised legitimate interests — was added under Article 6(1)(ea) and covers specific public-interest purposes.

When is consent the right lawful basis?

When the individual has a genuine choice, the choice is not tied to the provision of a service, and you can demonstrate that consent was freely given, specific, informed, and unambiguous. Marketing communications and processing special category data in research contexts are typical examples.

Can I rely on legitimate interests instead of consent?

Often yes, particularly in commercial contexts. Legitimate interests requires a documented assessment (an LIA) that shows your interests are not overridden by the individual's rights. You cannot rely on legitimate interests for cookies that need consent under PECR.

What is recognised legitimate interest?

A new lawful basis under Article 6(1)(ea), introduced by the DUAA 2025, that covers a specific list of public-interest purposes — crime prevention, safeguarding, emergency response, and similar. Unlike standard legitimate interests, it does not require an LIA. The list is narrow; most commercial use cases still rely on standard legitimate interests.

Can children give consent under GDPR?

In the UK, a child aged 13 or over can give their own consent to information society services. For children under 13, parental consent is required and the controller must take reasonable efforts to verify it. For non-information-society processing, the position depends on the child's capacity to understand.