GDPR Consent Management: Getting Permission Right
Consent under GDPR involves significantly more than a simple checkbox. Valid consent requires clear, affirmative action and must be freely given, specific, informed, and unambiguous. Consent-related issues remain among the most common areas of GDPR enforcement.
Key Takeaways
| Point | Summary |
|---|---|
| Valid consent requires | Freely given, specific, informed, unambiguous, and easy to withdraw |
| No pre-ticked boxes | Consent must be an active opt-in, not assumed from silence |
| Separate consent | Different purposes need separate consent; no bundling |
| Record everything | Keep proof of what was consented to, when, and how |
| Easy withdrawal | Must be as easy to withdraw consent as to give it |
| Children's consent | Parental consent required for online services below age threshold (13-16 by country) |
Quick Answer: GDPR consent must be a clear opt-in (no pre-ticked boxes), separate for each purpose, and easy to withdraw. Record when and how consent was given. Consider using other legal bases (Contract, Legitimate Interests) for core services instead.
What Makes Valid Consent?
GDPR sets a high bar for valid consent:
Freely Given:
- No coercion or pressure
- Genuine choice to refuse
- Service not conditional on consent
- No detriment for refusing
Specific:
- Separate consent for different purposes
- Granular options
- Clear about each processing activity
- No bundled consent
Informed:
- Clear explanation of processing
- Identity of controller
- Purposes of processing
- Rights of withdrawal
- Plain language
Unambiguous:
- Clear affirmative action
- No pre-ticked boxes
- No inferred consent from inaction
- Explicit opt-in required
When to Use Consent
Good Use Cases for Consent
| Use Case | Why Consent Works |
|---|---|
| Marketing emails | User genuinely chooses to receive |
| Non-essential cookies | User controls tracking preferences |
| Sharing with third parties | User decides who gets their data |
| Special category data | Often legally required |
| New/incompatible purposes | Extending beyond original scope |
| Research participation | Voluntary participation |
When NOT to Use Consent
| Situation | Better Alternative |
|---|---|
| Service delivery | Contract |
| Payment processing | Contract |
| Legal requirements | Legal Obligation |
| Fraud prevention | Legitimate Interests |
| Account security | Legitimate Interests |
| Basic analytics | Legitimate Interests |
Why avoid consent when possible?
- Consent can be withdrawn at any time
- If withdrawn, you must stop processing without undue delay
- Contract or legitimate interests provide more stability
Obtaining Valid Consent
Consent Form Best Practices
Do:
- Use clear, plain language
- Explain exactly what you'll do with data
- Provide separate checkboxes for different purposes
- Make the consent request prominent
- Link to your full privacy policy
- Make it easy to withdraw consent later
Don't:
- Use pre-ticked boxes
- Bundle consent with terms acceptance
- Use confusing double negatives
- Bury consent in lengthy text
- Make consent a condition of service (unless genuinely necessary)
- Use dark patterns
Example Consent Forms
Bad Example:
☑ I agree to the terms and conditions and privacy policy
and consent to receive marketing communications
Problems: Pre-ticked, bundled consent, vague
Good Example:
☐ I would like to receive product updates and tips via email
☐ I would like to receive special offers and promotions
☐ I consent to receiving personalized recommendations
based on my usage of the service
You can withdraw these consents at any time in your
account settings or by contacting privacy@company.com
Types of Consent
Standard Consent
For most processing activities:
| Requirement | Standard Consent |
|---|---|
| Form | Any clear affirmative action |
| Documentation | Record of when and how obtained |
| Withdrawal | Must be as easy as giving |
| Specificity | Per purpose |
Explicit Consent
Required for special category data and some automated decisions:
| Requirement | Explicit Consent |
|---|---|
| Form | Separate, express statement |
| Documentation | Detailed record required |
| Withdrawal | Without undue delay |
| Specificity | Very granular |
Special category data includes:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic or biometric data
- Health data
- Sex life or sexual orientation
Double Opt-In
While not legally required by GDPR, double opt-in is best practice for email marketing:
Step 1: Initial Signup
- User enters email
- Checks consent box
- Submits form
Step 2: Confirmation Email
- Send verification email immediately
- Include confirm link
- Explain what they're confirming
Step 3: Confirmation
- User clicks confirm link
- Record confirmed consent
- Begin sending communications
Benefits:
- Proves valid email address
- Confirms intentional consent
- Reduces spam complaints
- Better engagement rates
- Stronger evidence of consent
Recording Consent
You must be able to demonstrate that consent was validly obtained.
What to Record
| Element | Details to Store |
|---|---|
| Who | User identifier |
| When | Timestamp of consent |
| What | Exact text of consent request |
| How | Method (web form, verbal, etc.) |
| Version | Version of consent form/text |
| Context | What information was provided |
Consent Record Example
{
"user_id": "usr_abc123",
"consent_id": "con_xyz789",
"timestamp": "2024-03-15T14:30:00Z",
"consent_type": "marketing_email",
"consent_text": "I would like to receive product updates and promotional offers via email",
"method": "web_form",
"form_version": "v2.3",
"ip_address": "192.168.x.x",
"privacy_policy_version": "2024-03-01",
"status": "active"
}
Managing Consent Withdrawal
Withdrawal Requirements
| Requirement | Implementation |
|---|---|
| Easy to withdraw | As easy as it was to give |
| Accessible | Clear instructions, multiple channels |
| Prompt | Process without undue delay |
| Free | No cost to withdraw |
| Complete | Stop all processing based on that consent |
Withdrawal Channels
- Account settings (self-service)
- Unsubscribe links in emails
- Privacy settings page
- Contact form
- Email to privacy contact
- Customer support
Handling Withdrawal
Withdrawal Request Received:
- Verify user identity
- Identify affected processing
- Confirm scope of withdrawal
Processing:
- Update consent record
- Stop affected processing
- Remove from mailing lists
- Notify relevant systems
Confirmation:
- Acknowledge withdrawal
- Explain what will/won't change
- Note any retained data (with reason)
Consent for Different Channels
Email Marketing
| Requirement | Implementation |
|---|---|
| Opt-in | Checkbox at signup |
| Information | What emails, frequency |
| Opt-out | Unsubscribe link in every email |
| Record | Store consent timestamp and version |
Cookies and Tracking
| Cookie Type | Consent Required |
|---|---|
| Strictly Necessary | No |
| Performance/Analytics | Yes |
| Functionality | Yes |
| Targeting/Advertising | Yes |
Phone Marketing
| Requirement | Implementation |
|---|---|
| Consent | Specific consent for phone contact |
| Recording | Record verbal consent if obtained by phone |
| Opt-out | Easy way to stop calls |
Children's Consent
Article 8 of GDPR establishes special rules for children's consent when offering information society services (online services) directly to children.
Age Thresholds
| Country | Minimum Age for Self-Consent |
|---|---|
| UK | 13 |
| Spain | 14 |
| France | 15 |
| Germany | 16 |
| Netherlands | 16 |
| Ireland | 16 |
| Default (most EU) | 16 |
The GDPR sets a default age of 16, but allows Member States to lower it to a minimum of 13. Below the applicable age threshold, parental or guardian consent is required.
Requirements for Children's Data
| Requirement | Implementation |
|---|---|
| Age verification | Reasonable measures to verify user's age |
| Parental consent | Required below age threshold |
| Verification of parental consent | Reasonable efforts to verify consent is given by holder of parental responsibility |
| Clear language | Privacy information must be in language children can understand |
Practical Implementation
Age Verification:
- Ask for date of birth during registration
- Use age-gating before collecting personal data
- Consider third-party age verification for higher-risk services
Obtaining Parental Consent:
- Request parent/guardian email for verification
- Send verification link to parent/guardian
- Consider video verification for sensitive services
- Document the verification method used
What Qualifies as "Information Society Services":
- Social media platforms
- Online games
- Streaming services
- E-commerce sites
- Educational apps and platforms
- Any online service offered directly to children
Recording Children's Consent
In addition to standard consent records, document:
- Age verification method used
- Parental consent verification method
- Parent/guardian identifier
- Verification timestamp
Common Consent Mistakes
Mistake 1: Bundled Consent
Wrong:
"By creating an account, you agree to our terms, privacy policy, and to receive marketing emails."
Right:
Separate consent for marketing, separate acceptance of terms.
Mistake 2: Pre-Ticked Boxes
Wrong:
☑ Send me promotional emails (pre-selected)
Right:
☐ Send me promotional emails (user must actively tick)
Mistake 3: Consent Walls
Wrong:
"Accept all cookies to access this site"
Right:
Essential cookies only by default, with option to accept others.
Mistake 4: Difficult Withdrawal
Wrong:
Must call customer service to unsubscribe.
Right:
One-click unsubscribe link in every email.
Mistake 5: Assuming Consent
Wrong:
"By continuing to use our service, you consent to..."
Right:
Active, explicit consent before processing begins.
Refreshing Consent
Consider refreshing consent when:
- Your privacy practices change significantly
- You want to use data for new purposes
- A reasonable time has passed
- You're uncertain about original consent validity
Re-Consent Campaign
Email 1: Initial Request
- Explain why you're reaching out
- Describe current processing
- Clear "Yes, keep me subscribed" button
- Easy opt-out option
Email 2: Reminder (if no response)
- Gentle reminder
- Highlight value of staying subscribed
- Final chance messaging
After Campaign:
- Remove non-responders from marketing
- Update consent records
- Document the re-consent process
How Bastion Helps
Consent management requires robust systems, careful implementation, and ongoing attention to regulatory developments. Working with experienced partners helps ensure your consent mechanisms meet GDPR standards from the start.
| Challenge | How We Help |
|---|---|
| Consent Collection | Compliant form templates and implementation guidance |
| Record Keeping | Streamlined consent logging and documentation |
| Withdrawal Processing | Efficient workflows for handling opt-out requests |
| Audit Trail | Complete consent history for accountability |
| Cookie Consent | Integration guidance for cookie consent platforms |
Getting consent mechanisms right from the beginning helps avoid the need for re-consent campaigns when issues are discovered—a process that typically results in significant subscriber loss.
Looking for help implementing compliant consent management? Talk to our team →