UK GDPR Compliance Guide
opt-in — same model as GDPR. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.After Brexit, the United Kingdom retained the EU GDPR in domestic law as the UK GDPR, supplemented by the Data Protection Act 2018 (DPA 2018). The result is a framework that is nearly identical to EU GDPR but enforced independently by the Information Commissioner's Office (ICO). Consenti supports UK GDPR via regulation: 'uk-gdpr', which applies the same opt-in consent model as EU GDPR with UK-locale defaults.
regulations: ['gdpr', 'uk-gdpr'] in your profile. Consenti will apply the stricter of the two for any given visitor.Official references
- Data Protection Act 2018 — UK statute text
- ICO — UK GDPR guidance and resources
- ICO — Consent guidance
Key requirements
| Requirement | Detail |
|---|---|
| Consent model | Opt-in — freely given, specific, informed, unambiguous |
| Pre-ticked boxes | Not permitted (UK GDPR Art. 4(11)) |
| Bundled consent | Not permitted — each purpose must be separately consented |
| Withdrawal | Must be as easy as giving consent |
| Records | Controllers must demonstrate consent was obtained (accountability) |
| Age | Under-13 requires parental consent (lower than EU's 16, unless Member State lowered) |
| GPC | Not yet a recognised signal under UK GDPR; ICO guidance pending |
| Enforcer | Information Commissioner's Office (ICO) |
UK GDPR vs. EU GDPR
| EU GDPR | UK GDPR | |
|---|---|---|
| Opt-in required | Yes | Yes |
| Age threshold | 16 (Member States may lower to 13) | 13 |
| Enforcer | National DPAs / EDPB | ICO |
| Adequacy | EU decides on third-country adequacy | UK decides independently |
| GDPR article numbering | Original | Identical — UK GDPR mirrors article numbers |
Enabling UK GDPR mode
Frontend widget
new ConsentiSetup({
core: {
regulation: 'uk-gdpr',
},
})Profile configuration (dashboard)
Select UK GDPR as the regulation in the Profile Editor. The consent model and defaults are identical to EU GDPR. No additional profile fields are required.
Dual EU + UK operation
{
"regulations": ["gdpr", "uk-gdpr"],
"gpc": {
"mode": "honour"
}
}When both are active, Consenti applies EU GDPR opt-in by default (the stricter model) for all visitors. GPC honour is recommended for EU GDPR visitors even though it is not yet mandated under UK GDPR.
Consent records
UK GDPR's accountability principle (Art. 5(2)) requires demonstrating that consent was obtained. Every consent event is written to the immutable audit log automatically. Use the admin dashboard to export records or query via the API:
GET /consenti/api/v1/admin/consent?visitorId=<id>Erasure (UK GDPR Art. 17)
The right to erasure applies identically to EU GDPR. Use:
DELETE /consenti/api/v1/consent/:visitorId