Giving and removing consent

Opt-out to remove consent


Permission to access or process data is granted by default. The user has to take action to stop access. For example, patients can choose to stop sharing confidential information for research and planning purposes.

IF thinks this pattern can be an effective way of gaining access to data, but that it should be used with care to ensure that it is being employed in appropriate settings with appropriate safeguards.

Under the GDPR, a legal basis for processing data must be demonstrated. Since consent is not obtained through this pattern, it can only be used in services which have another legal basis for accessing data.

In addition, IF thinks this pattern has the potential to shift power towards data collectors. Users have to be aware of data access, and understand it before taking steps to opt out from it. During this time, data about them is being accessed and processed. When implementing this pattern, steps should be taken to mitigate the risks of power imbalances, for example making it easy for users to change their mind.


  • Useful in cases where there is a legal basis for accessing data, besides explicit consent.
  • Useful in cases where there is evidence that an opt-in system might result in the collection of biased or incomplete data sets (e.g. medical research data).


  • Users might not realise data is being shared.
  • Users might not know how to opt-out from providing access to data.
  • This pattern is not an appropriate form of consent for email or text marketing or communication. Users must give specific consent for this.