New Standards for "Consent" and the Burden of Proof

The standards for data subject “Consent” have evolved significantly from Decree No. 13/2023/ND-CP toward the Law on Personal Data Protection (2025) and Decree No. 356/2025/ND-CP. This shift focuses on enhancing transparency and verifiability, while explicitly placing the burden of proof on the data controller/processor.

Table of contents:

1. More Specific and Logical Methods of Expressing Consent

Decree 356 has specified the methods that data controllers/processors may use to collect consent. These measures ensure the ability to verify the identity of the data subject, as well as the specific timing and content of the consent given.

The methods include:

In writing;
Via recorded phone calls;
Consent statements via text message (SMS);
Via email, websites, platforms, or applications with technical settings designed to request consent;
By other appropriate methods that can be printed or reproduced in writing, including electronic formats or other verifiable formats.

2. Clarification of the “Verifiability” Concept

A significant advancement of Decree 356 is the clarification of the “verifiability” requirement for consent, thereby addressing the existing gaps under Decree 13/2023/ND-CP. Accordingly, when collecting consent from data subjects, businesses must be able to demonstrate, at a minimum, the following elements:

Whothe data subject providing consent is;
Whenthe consent was given;
The content and scopeof the consent provided by the data subject.

Consequently, a business’s responsibility does not end with merely collecting consent; it also includes the obligation to reconstruct the consent process upon request by regulatory authorities or in the event of a dispute. In practice, if these elements cannot be traced and verified, the consent is at risk of being deemed invalid.

3. New Principles to Combat “Default Consent”

Decree 356 establishes, for the first time, a clear principle aimed at eliminating the “default consent” mechanism in personal data processing activities. Accordingly, the law strictly prohibits setting up default consent methods (such as pre-ticked boxes) or creating unclear instructions that cause confusion between consent and non-consent for the data subject.

The core point is that users are only considered to have consented when they actively perform an action demonstrating their approval. Conversely, any method that “pushes” users into consenting through interface design, presentation, or workflow potentially carries a risk of violation. Compared to Decree 13/2023/ND-CP, this approach is expressed more clearly and directly, especially in the context of data collection models based on digital platforms.

Example 1: Some account registration forms include lines such as “I agree to receive marketing information” or “I agree to share data with partners” with the boxes already pre-ticked. The user only needs to click “Register.” This case does not meet the requirements for valid consent due to the lack of an active action by the user.

Example 2: Cookie banners on e-commerce websites

Many websites display cookie banners with a prominent “Accept” button, while the “Customize” or “Decline” options are blurred, placed in hard-to-see positions, or require multiple additional steps to find. This poses a risk of violation because the interface creates psychological pressure, causing users to tend to click “Accept” without making a truly proactive choice.

4. Burden of Proof and Storage Obligations

The obligation to store consent is a significant advancement of Decree 356, as it clearly codifies this responsibility for the first time. Accordingly, the data subject’s consent is not only a legal condition for data processing at the time it occurs but must also be stored as an independent legal record. Businesses are obligated to ensure the accessibility and provision of evidence of consent upon request during inspections or audits by competent authorities, or in the event of a dispute.

In practice, the failure to store or prove consent may lead to the risk of being deemed as processing personal data without a valid legal basis, even if consent had previously been obtained from the data subject.

Recommendation: The aforementioned changes indicate that businesses need to review their entire process for collecting, recording, and storing consent, particularly regarding digital interfaces, electronic forms, and operating IT systems. Consent management is no longer a mere formality; it has become a critical component of the compliance framework and personal data accountability.

Advisory email info@cdlaf.vn
Hotline: (+84) 909 668 216

Time of writing: 02/01/2026

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn

Why choose CDLAF’s service?

We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
Strict information security procedures throughout the service performance and even after the service is completed.

You can refer for more information:

What should advertising enterprises prepare to comply with the personal data protection law?

Responsibilities of Enterprises when employing Foreign Workers

Is it Mandatory for Enterprises to Appoint Personal Data Protection Personnel?

How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 2)

How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)

Guidelines for Drafting a Personal Data Protection Policy Under the New Law (Part 1)