GDPR Consent Requirements: Best Practices
Quick Answer
GDPR consent must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action (no pre-ticked boxes), must be as easy to withdraw as to give, and organizations must keep records proving valid consent was obtained.
GDPR Consent Requirements
Consent is one of the six lawful bases for processing personal data under GDPR. When used, it must meet strict requirements — far stricter than the pre-GDPR "implied consent" that many organizations relied on. Invalid consent means unlawful processing, which means potential fines.
Key Takeaways
- Consent must be: freely given, specific, informed, and unambiguous
- Requires a clear affirmative action — pre-ticked boxes and silence do NOT count
- Must be as easy to withdraw as it was to give
- Separate consent needed for each distinct processing purpose
- Controllers must keep records demonstrating valid consent was obtained
- Consent is NOT always the best lawful basis — consider contract or legitimate interest first
The Four Consent Requirements
| Requirement | What It Means | Common Failure |
|---|---|---|
| Freely given | No detriment for refusing; not a condition of service (unless necessary) | Bundling consent with T&Cs, making consent mandatory for service access |
| Specific | Separate consent for each distinct purpose | Single consent checkbox for multiple unrelated processing activities |
| Informed | Clear information about who, what, why, and rights | Vague or buried privacy language, no mention of data subject rights |
| Unambiguous | Clear affirmative action (opt-in, not opt-out) | Pre-ticked checkboxes, continued browsing as consent, implied consent |
When to Use Consent vs Other Bases
✅ Consent Is Not Always Best
Many organizations default to consent when other lawful bases would be more appropriate. Consent should be your last resort, not your first choice. Legitimate interest is often more practical for B2B marketing. Contractual necessity is better for processing required to deliver a service. Consent's strict withdrawal requirements make it burdensome to manage.
| Processing Activity | Recommended Basis | Why Not Consent? |
|---|---|---|
| Fulfilling a customer order | Contract | Processing is necessary for the contract |
| B2B email marketing to existing customers | Legitimate interest | Genuine business interest, balanced with recipient rights |
| Newsletter signup | Consent | Direct marketing to individuals not already customers |
| Analytics cookies | Consent | ePrivacy requires consent for non-essential cookies |
| Employee payroll processing | Contract / Legal obligation | Necessary for employment and tax law |
| Targeted advertising | Consent | Significant impact on individuals, consent most appropriate |
How to Collect Valid Consent
Consent Collection Best Practices
- Use clear, plain language — no legal jargon
- Unticked opt-in checkbox (never pre-ticked)
- Separate checkbox for each processing purpose
- Clearly state what data will be collected and why
- Identify who will process the data (including third parties)
- Include link to full privacy policy
- Explain how to withdraw consent
- Don't make consent a condition of accessing the service (unless truly necessary)
- Record: who consented, when, how, and what they were told
- Use granular options (e.g., separate consent for email vs SMS vs phone)
Withdrawal of Consent
GDPR requires that withdrawing consent be as easy as giving it. If someone consented with a single click, they should be able to withdraw with a single click. Making withdrawal difficult or burying the option is a violation.
- Provide a clear, accessible mechanism for withdrawal (e.g., unsubscribe link, account settings toggle)
- Process withdrawal requests promptly (processing must stop)
- Prior processing based on consent remains lawful (withdrawal is not retroactive)
- If you have no other lawful basis, you must delete the data after consent withdrawal
Common Consent Mistakes
- Pre-ticked boxes: The CJEU (EU Court of Justice) ruled in Planet49 that pre-ticked boxes do not constitute valid consent.
- Bundled consent: Combining consent for multiple purposes into a single checkbox. Each purpose needs separate, granular consent.
- Consent walls: Blocking access to content/services unless the user consents to non-essential processing (like advertising cookies). This undermines the "freely given" requirement.
- Dark patterns: Making the "accept" button prominent while hiding the "decline" option. Supervisory authorities increasingly penalize manipulative consent interfaces.
- No withdrawal mechanism: Collecting consent but not providing an easy way to withdraw it.
- Not keeping records: You must be able to prove who consented, when, how, and what they were told. Without records, consent is effectively invalid.
EUR 746M
Amazon GDPR Fine (2021)
Partly for consent/transparency failures
EUR 390M
Meta Fine (2023)
For using wrong lawful basis (contract instead of consent)
Immediately
Withdrawal Effect
Processing must stop upon withdrawal
Granular
Purpose-Specific
Separate consent per processing purpose
Can I use soft opt-in for email marketing?
Under the ePrivacy Directive (separate from GDPR), many EU countries allow 'soft opt-in' for existing customers: if you collected their email during a sale and are marketing similar products, you can use legitimate interest rather than consent. However, you must provide an opt-out mechanism and include your identity in every message.
How long does consent last?
GDPR doesn't specify an expiration for consent. However, consent should be refreshed periodically (annually is good practice) and must be re-obtained if processing purposes change. Some supervisory authorities have suggested consent should be refreshed every 2 years.
Can children consent under GDPR?
For online services, children under 16 (or 13-16 depending on member state) cannot give their own consent. Parental consent is required. This is particularly relevant for social media, gaming, and educational platforms.
Is a cookie banner sufficient for GDPR consent?
Only if it meets GDPR requirements: no pre-selected cookies, clear information about each cookie category, easy opt-in/opt-out, and a genuine choice (not a consent wall). Many cookie banners fail GDPR requirements. See our GDPR cookie consent guide.
Implement GDPR-Compliant Consent
Find consent management platforms that help you collect, manage, and document valid GDPR consent.
Browse Consent Tools