The GDPR rules for consent are much more strict than the previous legislation. To collect PII data, you must ensure consent from anyone about whom you want to collect data.
There are certain situations where consent do not have to be given, such as when you need the data to fulfill a legal obligation toward the data subject.
### Formatting of consent
According to GDPR, the consent needs to be “freely given, specific, informed and unambiguous and requires affirmative action.” This means that the consent needs to be active, and that it is not enough to add an option that says: “if you continue to browse this site, you allow us to store your personal data”. The data subject needs to actively enter their email address, enable a box or some similar action. Check boxes cannot be enabled by default.
You need to write the consent notification in a clear and simple language to ensure that the data subject understands what they are consenting to. You also must explain what the purpose of the data collection is and how the PII data will be used.
When you need the consent of a data subject, you must store that consent, (perhaps in a user profile). You must also keep track of the consent given by the data subject so that you can match the consent with the exact purpose and collected data.
For example, if you set up a web form to collect name and email address from potential customers. Later, you really need their phone numbers also, so you add a phone number field to the web form. In this case, you need to track which version of the form that the data subject consented to. You will also need a clear explanation of why you need both email address and phone number, and to provide the customer with the option to consent to one of them but not the other.
### Withdraw consent
Withdrawing consent must be as easy as giving consent, and the data subject can withdraw consent at any time. Preferably, you should have an automatic procedure for this, where the data subject can log in and delete their consent. The data subject should not have to phone you and ask you to remove their consent.