Consent is a voluntary, informed, and unambiguous affirmation of agreement by an individual to the collection, processing, or use of their personal or health information. It must be freely given without coercion, and the individual must understand the purpose, scope, and implications of their consent before providing it.
Consent
Regulatory Definitions
- GDPR (Article 4(11) & Article 7): Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data. Consent must be distinguished from legitimate interest and must be obtained prior to processing. A mere pre-ticked box or inactivity does not constitute valid consent.
- HIPAA (45 CFR §164.508): Consent is an individual's authorization for the use and disclosure of their protected health information (PHI) for treatment, payment, and health care operations. Unlike GDPR, HIPAA permits use and disclosure of PHI for these purposes without explicit consent, but individuals have the right to request restrictions. Written consent forms must be provided in plain language and include specific uses.
- CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.): Consent is the affirmative authorization by a consumer to collection, use, retention, sharing, or deletion of personal information. The CPRA requires explicit opt-in consent for sensitive personal information and sale/sharing of personal information. The right to opt-out (for non-sensitive data sales) is an alternative to prior consent. Consent must be obtained before processing and consumers have the right to withdraw consent at any time.