GDPR Consent: What Counts and What Doesn't
Consent is one of the most misunderstood legal bases under the General Data Protection Regulation. Many organizations believe they have valid consent when they do not, exposing themselves to substantial fines and enforcement action. This guidance clarifies what the GDPR actually requires for consent to be legally effective, and what common practices fall short.
The Legal Standard: GDPR Article 4(11)
GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, through a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." Each element matters. Missing even one disqualifies the consent entirely.
The phrase "clear affirmative action" is critical. The regulation explicitly rejects passive consent. Pre-ticked boxes, silence, or inactivity do not constitute valid consent. Your consent mechanism must require the individual to actively opt in. This means redesigning common industry practices: pre-checked boxes must be unchecked, silent acceptance is impermissible, and bundled consent for unrelated purposes is ineffective.
What Valid Consent Requires: The Five Elements
Freely Given: GDPR Article 7(4) prohibits consent that is conditional on accepting services when that consent is unnecessary for the service. A real-world example: you cannot require email marketing consent as a condition of purchasing a product, unless the marketing itself is essential to delivery. However, requiring consent for necessary cookies to operate your website is acceptable because the processing is genuinely necessary.
Additionally, "freely given" means there must be genuine choice. If your organization holds disproportionate power over the individual—such as an employer-employee relationship—the consent is presumptively invalid. GDPR Recital 43 addresses this explicitly. Document your power dynamic assessment; if you are uncertain whether consent is truly voluntary, you likely cannot rely on it.
Specific: The individual must consent to particular processing purposes. Generic consent to "business operations" or "to improve our services" is too vague. Instead, specify: "to send monthly marketing emails," "to analyze website behavior for user experience improvements," or "to share data with payment processors." When processing purposes are genuinely distinct, obtain separate consent for each. This protects you if one processing purpose becomes problematic—the invalidity does not automatically void consent for legitimate purposes.
Informed: Before consent, the individual must receive clear information about: the controller's identity, processing purposes, data categories, recipients, retention periods, and their rights (Articles 13-14). Bury this information in a terms-of-service footnote and your consent fails. Best practice: provide a short, accessible consent notice that contains or clearly links to complete privacy information. Test your materials with non-specialists; if you cannot explain the processing in 2-3 sentences, it is not informed enough.
Unambiguous: The consent must clearly relate to the specified processing. This is why single consent forms covering multiple unrelated processing activities often fail. A declaration stating "I consent to marketing communications and targeted advertising" is ambiguous—these are different purposes with different implications. Use separate, clearly labeled consent mechanisms for each distinct purpose.
Affirmative Action: As noted above, the individual must actively opt in. Recital 32 clarifies that silence, inactivity, or pre-ticked boxes will not suffice. Your web forms should require an explicit action: clicking a button, checking a box (unchecked by default), or selecting "agree." Document the mechanism; if your consent interface is ever audited, you must demonstrate the affirmative action requirement was met.
What Does Not Count as Valid Consent
Pre-ticked boxes or pre-selected options are invalid, even if the individual could uncheck them. The affirmative action must initiate consent, not require action to refuse it.
Browsewrap or terms-of-service-buried consent is ineffective for optional processing. When processing is necessary for a service (e.g., payment processing), it may rely on contract under Article 6(1)(b), not consent. But optional processing—like marketing—cannot hide behind dense legal documents. Explicit, granular consent is required.
Consent that bundles essential and optional processing is often unenforceable for the optional component. GDPR Article 7(4) and Recital 43 establish that you cannot make consent to optional processing a condition of service provision. Separate your necessary processing (rely on contract or legitimate interest) from optional processing (obtain explicit consent).
Implied or inferred consent does not meet the standard. Observing that someone opened a marketing email does not constitute fresh consent to continue sending them.
Practical Implementation: Document Your Consent Basis
Maintain records proving each element. For each consent-based processing activity, document: (1) the exact consent mechanism used, (2) the timing and manner of consent collection, (3) the information provided before consent, and (4) how you verified affirmative action occurred. When audited, you must demonstrate compliance. A screenshot of your consent interface and the text presented is baseline evidence.
Review your current consent mechanisms now. If you rely on pre-ticked boxes, bundled consent, or terms-buried notices for optional processing, prioritize remediation. Organizations that redesign before enforcement action demonstrate good faith, a factor regulators consider during investigations.