Consent is the GDPR concept people think they understand best — and get wrong most often. The bar is high and specific, and weak consent invalidates the very processing it was meant to authorise. Knowing what valid consent requires is essential to any GDPR compliance.
This guide breaks down each element of valid consent, covers withdrawal, explicit consent, children and cookies, and explains when consent is simply the wrong basis to use.
What GDPR means by consent
Consent is one of GDPR’s six lawful bases, but it sets a high bar. Valid consent must be freely given, specific, informed and unambiguous, shown by a clear affirmative action. Silence, pre-ticked boxes or inactivity do not count.
In other words, consent only works when the person has a genuine, well-informed choice and actively says yes. If any of those elements is missing, the consent is invalid and the processing has no lawful basis.
Freely given
Consent is freely given only if the person has a real choice and is not penalised for refusing. If a service is conditional on consenting to unnecessary processing, or if refusal carries a detriment, the consent is not free.
Imbalances of power matter too. In an employer–employee relationship, for example, consent is rarely free because staff may feel unable to refuse, so another lawful basis is usually more appropriate.
Free resource
The Ultimate Guide to GDPR
Design valid consent flows and fix the ones that don’t meet the bar.
Specific and granular
Consent must be specific to each distinct purpose. You cannot lump several unrelated activities under one blanket “I agree”. If you want to use data for, say, service emails and separate third-party marketing, you need granular options so people can consent to one and not the other.
Bundling everything together is a common failing that invalidates the consent for all of it.
Informed
For consent to be informed, people must know who you are, what data you will process, for what purposes, and that they can withdraw at any time. This information must be clear and accessible — not buried in dense terms and conditions.
If the person could not reasonably have understood what they were agreeing to, the consent does not stand.
Unambiguous and by clear action
Consent must be unambiguous, given by a clear affirmative act — ticking an unticked box, choosing settings, or a clear “yes”. Pre-ticked boxes, opt-out mechanisms and “by continuing you agree” do not meet the standard.
The action must leave no doubt that the person intended to consent to that specific processing.
Easy to withdraw
People must be able to withdraw consent as easily as they gave it, and you must tell them so before they consent. Withdrawal must be straightforward — a one-click unsubscribe, a settings toggle — not a hidden or burdensome process.
When someone withdraws, you must stop the processing that relied on consent, although it does not affect the lawfulness of what you did beforehand.
You must keep records
The accountability principle means you must be able to demonstrate that you obtained valid consent. Keep records of who consented, when, what they were told, and what they agreed to. Without these records, you cannot prove your basis if challenged.
This is one reason consent is administratively heavier than other bases — it requires ongoing evidence, not a one-off click.
Separate from terms and conditions
Consent should not be bundled into your general terms and conditions as a precondition of service. If accepting the T&Cs forces a person to consent to unrelated processing, that consent is not freely given.
Keep consent requests distinct and specific, so the person is clearly agreeing to the processing itself rather than simply accepting your contract.
Handled well, this is one more building block of practical GDPR compliance.
Explicit consent for sensitive data
Where you rely on consent for special category data, it must be explicit — an express, clearly worded statement rather than an implied or bundled agreement. The person must understand exactly which sensitive data is involved.
Explicit consent is demanding, which is one reason organisations often look for another condition where one genuinely applies to sensitive processing.
Children’s consent
Children warrant extra protection. For online services offered directly to children, GDPR sets a default age of 16 for valid consent, though member states may lower it to as young as 13. Below that age, you generally need consent from a parent or guardian and must make reasonable efforts to verify it.
If your audience includes children, check the applicable age in each country and design your consent flows accordingly.
Consent and cookies
The separate ePrivacy rules require consent for non-essential cookies and similar tracking, to the same GDPR standard. That means a clear, granular banner where accepting and rejecting are equally easy — not a wall that nudges people into “accept all”.
Strictly necessary cookies do not need consent, but analytics and advertising cookies almost always do.
When consent is the wrong basis
Consent is not always appropriate. If you would process the data anyway — because it is necessary for a contract or required by law — then asking for consent is misleading, because the person has no real choice. Withdrawing consent they were never truly free to refuse would not stop the processing.
In those cases, rely on the basis that actually fits, and reserve consent for genuinely optional activities.
Refreshing and reviewing consent
Consent is not necessarily forever. If your purposes change, or consent was gathered long ago to a weaker standard, you may need to refresh it. Periodically review your consent records and mechanisms to ensure they still meet the GDPR bar.
Stale or pre-GDPR consent is a common weak point, so check that what you are relying on today would stand up to scrutiny.
How ISpectra helps
Getting consent right — and knowing when not to use it — is central to credible GDPR compliance. ISpectra Technologies helps organisations design valid consent mechanisms, fix cookie banners, maintain proper consent records, and choose the correct basis where consent is not the right fit.
If your consent flows pre-date GDPR or rely on pre-ticked boxes, a short review will show you what to change.
In one paragraph
Valid GDPR consent must be freely given, specific, informed and unambiguous, shown by a clear affirmative action — no pre-ticked boxes, no bundling, and no penalty for refusing. People must be able to withdraw as easily as they consented, you must keep records proving consent, and special category data requires explicit consent. Children need extra protection, and non-essential cookies need consent to the same standard. Crucially, consent is the wrong basis where you would process the data anyway, so reserve it for genuinely optional activities and use another lawful basis where one fits better.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Avoiding consent fatigue
A practical challenge with consent is fatigue: bombard people with requests and they stop reading, click “accept” reflexively, or abandon your service altogether. Ironically, asking for consent you do not need can weaken compliance, because reflexive clicks are hard to defend as genuine, informed choices.
The fix is restraint and clarity. Only ask for consent where it is the right basis and the choice is real; make the request specific and easy to understand; and design the interface so that accepting and declining are equally simple. Fewer, clearer consent requests produce both better compliance and a better user experience — people trust services that ask honestly and respect a “no”.