The General Data Protection Regulation (GDPR) is now the foundation of online data protection legislation. As it governs all EU citizen personal data, the Regulation is not only applicable to EU-based organizations. Indeed, any website an EU citizen may potentially access is required to meet the GDPR standards

That’s especially relevant to the GDPR consent requirements.

Consent is at the core of the GDPR. The primary goal of the Regulation is to give EU citizens greater power over their personal data. That means knowing what is collected and being able to ask for it to be erased.

But what are the initial consent requirements? And how do you meet them?

What is valid, active consent?

Consent is a simple concept: you must ask permission to obtain or collect data from a person. Under the GDPR Article 4, consent is defined as:

“Consent of the data subject means any freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

That establishes a few fundamentals:

  1. The consent must be freely given by the individual whose data it is.
  2. Consent cannot be coerced or misleading – the subject must fully understand what they are consenting to.
  3. The subject must actively consent – i.e., passive consent or consent by silence, whereby the use of a website is taken as consent, is not allowed.

If any of these fundamentals are not followed, then the consent is not considered valid. That opens organizations up to significant fines and penalties.

Indeed, Google famously violated the consent conditions. As a result, they were hit with a €50 million fine. The French Data Protection authorities said that Google’s consent mechanism was neither “informed” nor “unambiguous” or “specific.”

What are the conditions for consent?

The GDPR clarifies the definition of consent, in Article 7, by providing necessary conditions for consent (areas in bold highlight key points):

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

These clarifications add further caveats to the consent criteria of the GDPR, namely:

  • People can withdraw their consent at any point.
  • Consent must be demonstrable.
  • It must be clear what a person is consenting to when other matters are included.
  • Contracts should only contain consent for the collection of relevant data.

This allows the GDPR to remain compliant with other EU legislation, such as the Right to be Forgotten.

How can consent be freely given?

To “freely give” consent means to do so without coercion. However, the GDPR goes further. Recital 42 states, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The latter clause extends consent to encompass deals in which significant financial loss prevents a person from refusing.

Furthermore, as Recital 43 goes on, freely given consent must be provided for each data processing operation. For example, using an email address for marketing and an IP address for web analytics. Neither can be encapsulated in a single consent.

How is consent specific and unambiguous?

The former example highlights another key aspect: specificity. Consent must not be broader than necessary and should explain each data use separately.

So, the use of data for marketing purposes must be explained, followed by web analytics. This allows the data owner to be fully informed about the consequences of consenting.

Nor can consent be unambiguous, for instance, “silence, pre-ticked boxes, or inactivity.” Instead, consent must clearly indicate a data subject’s acceptance of the terms.

How is consent informed?

This is one of the most common pitfalls of consent forms. As the GDPR states, the consent must be written in “an intelligible and easily accessible form, using clear and plain language.” That means organizations cannot dress-up consent forms in diffuse, misleading technical jargon or legalese.

Rather, anyone must be able to understand the consent form regardless of prior expertise.

This was particularly important in the Google case. Here, French authorities took issue with the dilution of information on processing operations for the ad personalization. Thus, without adequate information, the data subject could not give their informed consent.


Data consent is understandably complex. Indeed, one in five respondents to a survey reported complete GDPR compliance is “impossible.”

That’s simply not the case.

Rather, write your consent forms in clear and easy-to-understand language, in which you explain the data collected and what it will be used for – clearly delineating each use. Then, provide an option for data subjects to rescind their consent.

For further information, please refer to the 88-page Regulation itself.