GDPR Consent Requirements: What Counts as Valid Consent (2026)
Consent is one of the six legal bases for processing personal data under the GDPR. When an organization relies on consent, it must meet strict standards. A vague privacy policy buried in terms and conditions does not qualify. Neither does a pre-ticked checkbox or inactivity.
The GDPR sets a high bar for valid consent, and getting it wrong can trigger significant fines. This guide explains the four conditions for valid consent, covers special rules for children, addresses when consent is and is not the right legal basis, and connects GDPR consent to cookie consent requirements.
For an overview of the regulation, see What Is GDPR. For practical implementation, see the GDPR compliance checklist.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.
The Four Conditions for Valid Consent
Article 4(11) of the GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The EDPB Guidelines 05/2020 on consent provide the authoritative interpretation of each condition. The European Commission and the ICO offer additional guidance.
1. Freely Given
Consent is only valid if the individual has a genuine, free choice. Several factors can undermine this:
Power imbalance. When there is a significant imbalance of power between the data subject and the controller, consent is unlikely to be freely given. The employer-employee relationship is the classic example. Employees may feel they cannot refuse their employer's data processing requests without risking their job. Public authorities processing personal data of citizens face similar concerns.
Conditionality. Consent is not freely given if access to a service is conditional on consenting to data processing that is not necessary for that service. Under Article 7(4), organizations cannot bundle consent with service terms. An online store that requires customers to consent to marketing emails as a condition of making a purchase is violating this rule.
Granularity. Individuals must be able to consent to different processing purposes separately. A single "I agree to everything" checkbox covering multiple purposes does not qualify.
No detriment. Individuals must be able to refuse or withdraw consent without suffering any negative consequences. If refusal results in degraded service, restricted access, or any form of penalty, the consent is not freely given.
2. Specific
Consent must be specific to each processing purpose. Organizations cannot collect blanket consent for all current and future processing activities. The EDPB guidelines require:
- A separate consent for each distinct purpose
- Clear identification of the specific purpose at the time consent is requested
- Separation between consent for different processing operations
For example, an organization that collects email addresses for a newsletter and also wants to share those addresses with third-party advertisers needs two separate consents, not one.
3. Informed
Before giving consent, individuals must receive enough information to understand what they are agreeing to. The European Commission guidance specifies that the following information must be provided:
- The identity of the controller
- The specific purpose of each processing operation for which consent is sought
- What type of data will be collected and processed
- The right to withdraw consent at any time
- Whether the data will be used for automated decision-making, including profiling
- Information about international data transfers, if applicable
This information must be in clear, plain language. Technical jargon and legal language do not satisfy the "informed" requirement. Consent forms should use language that the average person can understand.
4. Unambiguous (Clear Affirmative Action)
Consent requires a clear affirmative act. The GDPR explicitly states that silence, pre-ticked boxes, or inactivity do not constitute consent. Valid forms of affirmative action include:
- Ticking an unticked opt-in box
- Clicking an "I consent" button (where the processing information is clearly presented)
- Choosing specific technical settings on a platform
- Signing a written consent form
- Making an oral statement (though this is harder to document)
Scrolling through a website, continuing to browse, or failing to object are not affirmative actions and cannot constitute valid consent.
Consent Records: Documenting Compliance
Article 7(1) requires controllers to be able to demonstrate that the data subject consented. This means maintaining clear records.
What to Record
The ICO guidance on recording consent recommends documenting:
- Who consented (enough information to identify the individual)
- When they consented (date and time)
- What they were told at the time (the consent form or statement presented)
- How they consented (the method: online form, checkbox, verbal)
- Whether consent has been withdrawn (and when)
Practical Implementation
Store consent records alongside the processing activity they relate to. If using online forms, capture the full text of the consent statement as it appeared at the time, not just a "consent = true" flag. If the consent statement changes, maintain version histories so you can prove what each individual agreed to.
Withdrawing Consent
Article 7(3) establishes the right to withdraw consent at any time. Two critical rules apply:
Withdrawal must be as easy as giving consent. If consent was given with one click online, withdrawal should require no more than one click. Requiring individuals to call a phone number, send a letter, or navigate a complex account settings page to withdraw consent that was originally given with a simple checkbox violates this principle.
Individuals must be informed of the withdrawal right before consenting. The right to withdraw must be communicated at the time consent is requested, not after the fact.
Effect of Withdrawal
Withdrawing consent does not retroactively make previous processing unlawful. Processing that occurred while consent was valid remains lawful. However, the organization must stop all processing based on consent going forward.
If the organization can continue processing under a different legal basis (such as contractual necessity or legitimate interests), it may do so. However, it cannot retroactively switch its legal basis for the same processing operation solely because consent was withdrawn.
Children's Consent (Article 8)
Article 8 imposes additional rules when offering "information society services" (ISS) directly to children. An ISS includes social media platforms, apps, online games, streaming services, and most commercial websites.
Age Thresholds
The GDPR sets the default age threshold at 16 years. Below that age, the consent of the holder of parental responsibility is required. However, member states can lower this threshold to a minimum of 13 years. The result is a patchwork across Europe:
| Age | Countries |
|---|---|
| 13 | Belgium, Czech Republic, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden, UK |
| 14 | Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain |
| 15 | France, Greece, Slovenia |
| 16 | Germany, Hungary, Ireland, Luxembourg, Netherlands, Poland, Romania, Slovakia |
Verification Requirements
Article 8(2) states that the controller must make "reasonable efforts to verify" that parental consent was given. The standard is proportionate. The European Commission guidance on children's data acknowledges that verification methods will vary based on available technology and the risk level of the processing.
Preventive and Counseling Services
Article 8 does not affect counseling and preventive services offered directly to children. These services can process children's data without parental consent to protect children's welfare.
When Consent Is NOT the Right Legal Basis
Consent is only one of six legal bases under Article 6. Many organizations default to consent when a different basis would be more appropriate and less burdensome.
Contractual Necessity (Article 6(1)(b))
When processing is necessary to perform a contract with the individual, consent is not needed. An e-commerce company does not need consent to process a customer's shipping address for order delivery. That processing is necessary to fulfill the contract.
Legal Obligation (Article 6(1)(c))
Processing required by law does not need consent. Employers processing employee data for tax reporting, or financial institutions processing data for anti-money laundering compliance, rely on legal obligation.
Legitimate Interests (Article 6(1)(f))
If the organization has a legitimate interest that does not override the individual's rights, it can process data without consent. Common legitimate interest uses include fraud prevention, network security, and internal administrative purposes. The EDPB Guidelines 1/2024 on legitimate interest provide detailed guidance on conducting the required balancing test.
Why Choose Consent Carefully
Consent creates ongoing management obligations: maintaining records, providing withdrawal mechanisms, re-obtaining consent if the purpose changes. If another legal basis applies, it may be simpler and more legally sound. The ICO guidance on when consent is appropriate recommends using consent only when no other legal basis applies or when you want to give individuals genuine ongoing control.
Explicit Consent for Special Category Data
Article 9 prohibits processing special categories of data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sex life/sexual orientation) unless a specific exception applies. One exception is "explicit consent."
Explicit consent is a higher standard than regular consent. It requires a very clear and specific statement of consent. The individual must expressly confirm their agreement, typically through a written statement specifically referencing the sensitive data and the processing purpose.
Consent and Cookies: The ePrivacy Connection
Cookie consent operates under the ePrivacy Directive (Directive 2002/58/EC), not the GDPR directly. However, when cookies involve personal data, the GDPR applies to the subsequent processing.
ePrivacy Rules Override GDPR Flexibility
The ICO cookie guidance confirms that legitimate interest cannot be used as a legal basis for setting non-essential cookies. The ePrivacy Directive requires consent for storing information on a user's device (cookies), and this consent must meet GDPR standards.
What Requires Cookie Consent
Non-essential cookies require consent. This includes:
- Analytics cookies (Google Analytics, similar tools)
- Advertising and tracking cookies
- Social media cookies
- Personalization cookies
What Does Not Require Cookie Consent
Strictly necessary cookies are exempt from the consent requirement. These include:
- Session management cookies (shopping carts, login status)
- Security cookies (fraud prevention, authentication)
- Load-balancing cookies
- User preference cookies (language, accessibility settings)
Cookie Banner Best Practices
The EDPB Cookie Banner Taskforce report identified common cookie banner violations:
- No "reject all" button (or hiding it behind additional clicks)
- Pre-checked boxes for non-essential cookies
- Using deceptive design patterns to steer users toward accepting
- Referring to "legitimate interest" for cookies (not valid under ePrivacy)
- Making withdrawal of cookie consent harder than giving it
The Your Europe portal provides a clear summary of EU online privacy rules for businesses.
The "Consent or Pay" Model
In 2024, the EDPB issued Opinion 08/2024 on "consent or pay" models, where platforms offer users a choice between consenting to behavioral advertising or paying a subscription fee.
The EDPB concluded that such models are not inherently unlawful but must meet strict conditions. The "consent" option must still satisfy all four GDPR conditions, and the paid alternative must be a genuine equivalent. Platforms must also offer a less intrusive advertising option (contextual rather than behavioral advertising) before resorting to a "consent or pay" binary.
This opinion is particularly relevant for social media platforms and news publishers that have adopted or considered subscription-based alternatives to ad-supported free access.
More GDPR Guides
- What Is GDPR for a comprehensive overview of the regulation
- GDPR Compliance Checklist for a step-by-step compliance guide
- GDPR Fines and Penalties for enforcement data and the consequences of non-compliance
- GDPR Data Subject Rights for all eight individual rights
- GDPR Breach Notification 72-Hour Rule for breach reporting obligations
- GDPR for Small Businesses for SME-specific guidance
- [EU Data Privacy Laws](/world-laws/world-data-privacy-laws/eu-data-privacy-laws) for the complete EU data protection overview
Sources and References
- GDPR Full Text - Regulation (EU) 2016/679(eur-lex.europa.eu).gov
- EDPB Guidelines 05/2020 on Consent(edpb.europa.eu).gov
- European Commission - When Is Consent Valid?(commission.europa.eu).gov
- European Commission - How Should My Consent Be Requested?(commission.europa.eu).gov
- ICO - What Is Valid Consent?(ico.org.uk).gov
- ICO - How Should We Obtain, Record and Manage Consent?(ico.org.uk).gov
- ICO - When Is Consent Appropriate?(ico.org.uk).gov
- European Commission - Children's Data Safeguards(commission.europa.eu).gov
- EDPB Opinion 08/2024 on Consent or Pay Models(edpb.europa.eu).gov
- EDPB Cookie Banner Taskforce Report(edpb.europa.eu).gov
- ICO - Cookies and Similar Technologies(ico.org.uk).gov
- Your Europe - Online Privacy for Businesses(europa.eu).gov
- EDPB Guidelines 1/2024 on Legitimate Interest(edpb.europa.eu).gov