Consent Under GDPR: Requirements for Valid Consent Mechanisms

TL;DR

Valid consent under Art. 7 GDPR must be freely given, informed, unambiguous, specific, and given by a clear affirmative action.
The coupling prohibition (Art. 7(4)) forbids making a service conditional on consent to data processing that is not necessary for that service.
Withdrawal must be as easy as giving consent. An opt-in by click and a withdrawal only by letter is impermissible.
Special categories of personal data (Art. 9) require explicit consent with a higher degree of specificity.
You bear the burden of proof: in case of dispute, you must be able to demonstrate that the data subject consented — when, how, and to what.

Consent as a legal basis: Powerful tool with high hurdles

Art. 6(1) DSGVO (GDPR) defines six legal bases for processing personal data. Consent (lit. a) is the best known but by no means the simplest. On the contrary: the requirements for valid consent are so high that many organizations would be better advised to use a different legal basis, if one is available.

Why is that? Because consent is revocable at any time. If you base your entire data processing on consent and a significant proportion of data subjects revoke, you suddenly have no legal basis. And because the burden of proof lies with you: in a dispute, you must demonstrate that consent was validly given. That requires complete documentation.

Nevertheless, there are processing activities where consent is the only suitable legal basis: newsletter distribution, tracking for marketing purposes, processing special data categories without another legal basis, sharing data with third parties for advertising purposes.

The seven validity requirements

Valid consent under the GDPR must cumulatively satisfy seven requirements. If any one is missing, the consent is invalid, and the processing based on it is unlawful.

1. Freely given

Consent must be freely given. This sounds self-evident but is, in practice, the criterion most consents fail on. Freely given means the data subject has a genuine choice and can refuse consent without disadvantage.

No exploiting power imbalances: In the employer-employee relationship, voluntariness is particularly critical. When an employer asks for consent, the employee can hardly say no in practice — even if theoretically they could. That is why supervisory authorities accept consent in employment relationships as valid only in exceptional cases, such as voluntary salary conversion where the employee has a genuine advantage.

Coupling prohibition (Art. 7(4)): You may not make a service conditional on the data subject consenting to processing that is not necessary for providing that service. Classic example: an online shop may not make completing a purchase conditional on the customer agreeing to newsletter distribution. The purchase works without a newsletter, so consent to the newsletter may not be a prerequisite for the purchase.

No disadvantages for refusal: The data subject must not suffer any disadvantages from refusing consent. "If you don't consent, you can't use our basic features" is only permissible if the data processing is actually necessary for those basic features. But then you do not need consent — you rely on Art. 6(1)(b) (contract performance).

2. Informed

The data subject must know what they are consenting to. This requires that you clearly and understandably inform them before consent about:

The identity of the controller (Who processes the data?)
The purpose of processing (What will the data be used for?)
The types of data being processed
The right to withdraw at any time
Where applicable: risks of a data transfer to third countries without an adequacy decision

The information must be written in clear, plain language (Art. 7(2)). Legalese in the smallest font size hidden in the terms and conditions does not meet this requirement. The information must be designed so that an average user understands and notices it.

3. Unambiguous

Consent must be given by an "unambiguous indication of the data subject's wishes." This means: it must be clearly recognizable that the data subject consents and what they mean by it. No consent through silence, no consent through inaction, no pre-ticked checkboxes.

The European Court of Justice (CJEU) clarified in its Planet49 ruling (C-673/17): a pre-selected checkbox that the user must actively deselect (opt-out) is not valid consent. Only an active selection of the checkbox by the user (opt-in) meets the requirement.

4. Specific (for the specific case)

Consent must relate to a specific processing purpose. A blanket consent ("I consent to the processing of my data") is invalid. You must name each purpose separately and, if you pursue multiple purposes, obtain separate consent for each purpose (granularity).

Example: if you want to both send a newsletter and serve personalized advertising, you need two separate consents — not a combined consent for both. The data subject must have the option to agree to the newsletter but reject personalized advertising.

5. Clear affirmative action

Consent must be given through an active action: checking a box, clicking a button, making a verbal declaration, signing. Merely continuing to browse a website is not an active action and thus not valid consent. Nor is simply closing a cookie banner by clicking "X" considered consent by most supervisory authorities.

6. Revocability

Art. 7(3) GDPR requires that consent can be withdrawn at any time and that withdrawal must be as easy as giving consent. This principle is massively violated in practice.

Common violations:

Consent by click, withdrawal only by letter to management
Consent on the website, withdrawal only by phone during business hours
Consent with one click, withdrawal via a three-page form
Newsletter signup in seconds, unsubscribe requires login and navigation through five sub-pages

Properly implemented: If consent is given by click on a website, withdrawal must also be possible by click on the same website. An unsubscribe link in every newsletter email is the minimum.

Effect of withdrawal: Withdrawal applies only going forward. Processing that occurred before the withdrawal on the basis of consent remains lawful (Art. 7(3) sentence 2).

7. Form and verifiability

The GDPR does not prescribe a specific form for consent. It can be given in writing, electronically, or orally. However, you bear the burden of proof (Art. 7(1)). In a dispute, you must be able to demonstrate:

Who consented (identity of the data subject)?
When was consent given (timestamp)?
What was consented to (exact wording of the consent declaration)?
How was consent given (mechanism: checkbox, button, signature)?
What information was available at the time of consent?

For electronic consent, this means: store not only the result ("consented: yes") but the entire context: timestamp, IP address, user agent, version number of the consent declaration, version number of the privacy notice. In ISMS Lite, consent status per purpose and person can be documented in an audit-proof manner, including version history and withdrawal records.

Special categories: Explicit consent under Art. 9

For processing special categories of personal data (health data, biometric data, data on sexual orientation, trade union membership, etc.), "simple" consent is not sufficient. Art. 9(2)(a) requires "explicit" consent.

What does "explicit" mean as opposed to "unambiguous"? The prevailing opinion is that explicit consent requires a higher degree of specificity. The data subject must be aware that they are consenting to the processing of particularly sensitive data. This means:

The special categories must be explicitly named
The risks of processing should be highlighted
Consent should be obtained separately from other consents
Written form or a comparably documented procedure is recommended

Consent from minors

Art. 8 GDPR regulates consent from children in relation to information society services (e.g., social media, online games, apps). The age limit is 16 years, although member states may lower it to as low as 13. Germany has not exercised this option and has kept the limit at 16 years.

For children under 16, the holder of parental responsibility must give or approve consent. You must make "reasonable efforts, taking into consideration available technology" to verify that consent was actually given by the holder of parental responsibility.

In practice, this is one of the most difficult GDPR requirements because reliable age verification on the internet is technically hardly feasible.

Common mistakes with consent

Consent as the default legal basis

Many organizations reflexively rely on consent even though another legal basis would be more robust. You do not need consent for processing customer data for contract performance. Your records of processing activities should document the appropriate legal basis for each activity. You do not need consent for processing employee data for payroll. You do not need consent for processing based on legitimate interests. Always first check whether another legal basis applies. Consent is the safety net, not the first choice.

Blanket consent for everything

"I consent to the processing of my personal data in accordance with the privacy notice." This sentence still appears on countless forms and is worthless as consent. It names no specific purpose, merely refers generically to the privacy notice, and offers no granularity.

Pre-ticked checkboxes

After the CJEU's Planet49 ruling, this should be obvious to everyone, but pre-ticked checkboxes are still found in practice. They are not valid consent. This also applies to sliders that default to "on."

Consent in the fine print

The consent declaration hidden in a long block of text that no one reads does not meet the information requirement. Consent must be clearly distinguishable from other declarations (terms and conditions, terms of use) (Art. 7(2)).

Making withdrawal difficult

An unsubscribe link at the very bottom of the email, in 6-point font, gray on light gray? A withdrawal process requiring login, password reset, navigation through three sub-menus, and confirmation by email? These are not permissible withdrawal mechanisms. Withdrawal must be as easy as giving consent.

No proof of consent

"The customer agreed on the phone." Without a recording, without a witness, without documentation? That is not sufficient. If you have no evidence, you have no consent. The burden of proof lies with you, and the supervisory authority will assume in case of doubt that no valid consent was given.

Consent and Consent Management Platforms (CMP)

For obtaining and managing consent on websites and in apps, Consent Management Platforms (CMPs) have become established. They control cookie banners and consent dialogs and document the consents given and refused.

A good CMP meets the following requirements:

Granularity: Separate consent for each purpose (functional, analytics, marketing)
No nudging: The "Reject" button is as prominent as the "Accept" button
Complete information: The name and purpose of each cookie and tracking service are disclosed
Easy withdrawal: Settings can be changed at any time, ideally via a permanently visible icon
Complete documentation: Every consent and every refusal is stored with timestamp and context
TCF compatibility: Support for the Transparency and Consent Framework of IAB Europe (relevant for programmatic advertising)

The selection and configuration of the CMP is a topic in its own right, covered in depth in the article on cookie banners and consent management.

Consent in email marketing

Email marketing is the area where consent is most frequently used. Besides the GDPR, the Unfair Competition Act (UWG) and the ePrivacy Directive are also relevant here.

Double opt-in as standard: In the German legal context, the double opt-in procedure has become best practice. The user enters their email address (first opt-in), receives a confirmation email, and clicks the confirmation link (second opt-in). Only after the second opt-in is consent effective. Double opt-in protects against abuse (someone enters another person's email address) and simultaneously provides robust proof of consent.

What you must document:

Time of registration (first opt-in)
IP address at registration
Time of confirmation (second opt-in)
IP address at confirmation
Wording of the consent declaration at the time of registration
Wording of the confirmation email

Unsubscribe: Every marketing email must contain a functioning unsubscribe link. Unsubscribing must be possible with one click, without login or further hurdles. Since 2024, Gmail and Yahoo additionally require support for the List-Unsubscribe header for bulk emails.

Consent in employee communications

In the employment relationship, consent as a legal basis is particularly problematic because voluntariness is regularly questioned due to the dependency relationship. Nevertheless, there are cases where consent in an employment relationship can be valid:

Publishing employee photos on the company website
Participation in a voluntary employee bonus program involving health data
Use of a personal device for work purposes (BYOD)

The prerequisite is always that refusing consent genuinely remains free of disadvantage. If refusing the photo consent leads to a worse evaluation at the next promotion review, the consent was not freely given.

Checklist: Verifying valid consent

Before you obtain consent, check each of the following points:

Is there an alternative legal basis that works without consent?
Is the consent truly voluntary and refusable without disadvantage?
Is each processing purpose separately and specifically named?
Is the information about the processing clear, understandable, and complete?
Does consent require an active action (no opt-out)?
Is withdrawal as easy as giving consent?
Is consent documented completely and in an audit-proof manner?
For special data categories: is explicit consent obtained?
For minors: is verification of parental consent performed?
Is the data subject informed about the right of withdrawal before consenting?

If you can answer all points with yes, your consent is on a solid foundation. If not, revise the consent mechanism before deploying it.