Consenti

UK GDPR Compliance Guide

ℹ️Compliance group: opt-in — same model as GDPR. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.

After Brexit, the United Kingdom retained the EU GDPR in domestic law as the UK GDPR, supplemented by the Data Protection Act 2018 (DPA 2018). The result is a framework that is nearly identical to EU GDPR but enforced independently by the Information Commissioner's Office (ICO). Consenti supports UK GDPR via regulation: 'uk-gdpr', which applies the same opt-in consent model as EU GDPR with UK-locale defaults.

ℹ️If you operate in both the EU and UK you can set regulations: ['gdpr', 'uk-gdpr'] in your profile. Consenti will apply the stricter of the two for any given visitor.

Official references

Key requirements

RequirementDetail
Consent modelOpt-in — freely given, specific, informed, unambiguous
Pre-ticked boxesNot permitted (UK GDPR Art. 4(11))
Bundled consentNot permitted — each purpose must be separately consented
WithdrawalMust be as easy as giving consent
RecordsControllers must demonstrate consent was obtained (accountability)
AgeUnder-13 requires parental consent (lower than EU's 16, unless Member State lowered)
GPCNot yet a recognised signal under UK GDPR; ICO guidance pending
EnforcerInformation Commissioner's Office (ICO)

UK GDPR vs. EU GDPR

EU GDPRUK GDPR
Opt-in requiredYesYes
Age threshold16 (Member States may lower to 13)13
EnforcerNational DPAs / EDPBICO
AdequacyEU decides on third-country adequacyUK decides independently
GDPR article numberingOriginalIdentical — UK GDPR mirrors article numbers

Enabling UK GDPR mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'uk-gdpr',
  },
})

Profile configuration (dashboard)

Select UK GDPR as the regulation in the Profile Editor. The consent model and defaults are identical to EU GDPR. No additional profile fields are required.

Dual EU + UK operation

json
{
  "regulations": ["gdpr", "uk-gdpr"],
  "gpc": {
    "mode": "honour"
  }
}

When both are active, Consenti applies EU GDPR opt-in by default (the stricter model) for all visitors. GPC honour is recommended for EU GDPR visitors even though it is not yet mandated under UK GDPR.

Consent records

UK GDPR's accountability principle (Art. 5(2)) requires demonstrating that consent was obtained. Every consent event is written to the immutable audit log automatically. Use the admin dashboard to export records or query via the API:

http
GET /consenti/api/v1/admin/consent?visitorId=<id>

Erasure (UK GDPR Art. 17)

The right to erasure applies identically to EU GDPR. Use:

http
DELETE /consenti/api/v1/consent/:visitorId