Why It Matters
Consent is one of six legal bases for processing personal data under GDPR, and it's the most visible to users — cookie banners, newsletter opt-ins, and marketing permissions all rely on it. Getting consent wrong is one of the most common reasons for GDPR fines. Major penalties have been issued for pre-ticked boxes, buried consent clauses, and cookie walls that forced consent.
The Four Requirements of Valid Consent
GDPR Article 4(11) sets a high bar:
Freely given — The data subject must have a genuine choice. Consent cannot be a condition for accessing a service unless the data is necessary for that service. There must be no negative consequences for refusing.
Specific — Consent must cover a particular processing purpose. Blanket consent ("I agree to everything") is invalid. Each purpose needs separate consent.
Informed — The data subject must know at minimum: who the controller is, what data is collected, why, how long it's kept, and their right to withdraw.
Unambiguous — Requires a clear affirmative action (opt-in). Pre-ticked boxes, silence, or inactivity do not constitute consent.
Consent vs Other Legal Bases
Consent is not always the best legal basis. GDPR provides five alternatives:
- Contract performance — Processing needed to fulfill a contract (e.g., shipping address for an order)
- Legal obligation — Required by law (e.g., tax records)
- Vital interests — Protecting someone's life
- Public interest — Tasks in the public interest
- Legitimate interest — The controller's interest outweighs the individual's rights (requires a balancing test)
If another legal basis applies and is more appropriate, do not use consent — it creates unnecessary withdrawal risk.
Withdrawal of Consent
Data subjects must be able to withdraw consent at any time, and it must be as easy to withdraw as it was to give. Once consent is withdrawn, processing must stop — though this does not affect the lawfulness of processing done before withdrawal.
Common Mistakes
- Pre-ticked boxes — Invalid under GDPR (Planet49 ruling, CJEU 2019)
- Cookie walls — Forcing consent to access a website is generally not considered "freely given"
- Bundled consent — Combining consent for multiple purposes into one checkbox
- No withdrawal mechanism — Making it hard to unsubscribe or opt out
- Consent for children — Under 16 requires parental consent (some member states lower this to 13)
Key Regulation
- GDPR Article 4(11) — definition of consent
- GDPR Article 7 — conditions for consent
- GDPR Article 8 — children's consent
- EDPB Guidelines 05/2020 — consent under the GDPR