One of the after-effects of the GDPR is the flurry of opt-in emails, forms, cookie pop-ups and banners seen everywhere on the internet. GDPR consent laid the groundwork for such changes. It meant businesses have to obtain consent before collecting consumers’ personal data and processing it any further. 

What is GDPR consent?

GDPR requires businesses to establish a lawful basis for processing consumer’s personal data. Under GDPR, processing includes any operation which is performed on personal data such as collection, recording, storage, adaptation or alteration, restriction erasure etc. Broadly, it covers any use of personal data not just of your consumer. 

Consent is one of the lawful bases for data processing. GDPR consent should involve a clear affirmative act establishing that the consent is freely given, specific, informed and unambiguous. Consent requests should also be available in clear, plain language and be “clearly distinguishable from the other matters”. 

The key conditions of GDPR consent as defined in Article 4(11).
Article 4(11) GDPR gives the definition of consent.

What does this mean for your business? Any marketing or sales communication such as emails, newsletters, push notifications, SMS, marketing calls, etc. requires the user’s opt-in consent. The exceptions being service messages like order confirmation, order tracking etc. are not subject to GDPR consent as the legal basis for such communication may be the fulfilment of a contract. 

Freely given consent

Individuals must have a clear and genuine choice over how businesses use their data. Consent will not be free if users are unable to withdraw or refuse consent or face discrimination in the product or services as a result of their choices. 

In scenarios where collecting and processing consumer’s personal data is vital to perform your business or enter into a contract with them, you should consider using another valid basis for processing. Similarly, it is difficult to establish valid, freely given consent when users are consenting to public authorities, employers or other organizations in a position of power

Specific consent

Consent must be specific i.e. granular and relating to a distinct processing activity. When a user gives consent, the purpose for processing the data needs to be clearly known. The purpose needs to be limited, specific purpose, and cannot be changed or modified after obtaining consent. If the purpose of the processing activity for which consent has been given changes, businesses have to ask for consent again. 

Informed consent

The user must be informed clearly and transparently before giving their consent. This applies to information about data processing and the rights consumers have under GDPR, including withdrawal of consent.

Recital 42 of GDPR points out that “for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended”.

The WP29 guidelines on consent state the following as minimum requirements for GDPR consent.

  • Identity of the controller
  • Purpose of each processing for which consent is asked
  • Data and type of data that will be collected and used through consent.
  • Information about the right to withdraw consent.
  • Information regarding the use of data for automated processing including profiling
  • Possible risk of data transfers to third countries in case of an absence of adequacy decision

Unambiguous consent

GDPR consent has to be unambiguous and given by a statement or by a clear affirmative action. This means consent is not valid if it involves pre-ticked boxes, silence or inactivity. A clear affirmative action such as opt-in can only constitute a deliberate, active choice by a user while pre-ticked boxes and ‘on’ toggles do not. 

The WP29 guidelines note that consent should be distinguishable from other actions and consent mechanisms should avoid ambiguity. Actions such as merely continuing the use of a website or scrolling cannot be inferred as an active choice by the user. 

Withdraw consent

Article 7(3) of the GDPR endows individuals the right to withdraw consent at any time. It should also be as easy to revoke consent as to give consent. This means users can withdraw previously given consent whenever they want by opting out, and businesses must honour the user’s decision.

Consumers must be informed about the right to withdraw consent before or at the time of collecting consent. Businesses have to inform users how they can withdraw consent and the consequences of it so that the user can make an informed decision. This option to withdraw consent should be easily available via the consent form, emails, privacy policy etc.

Proof of consent

GDPR also requires businesses to demonstrate proof of consent if the need arises. You need to keep documentary evidence of consent and prove that users made an informed choice such that the consent obtained is valid.

It means that you must be able to provide proof of:

  • When and how you got consent
  • The user who gave consent
  • What specifically they consented to
5 Things to Know about GDPR Consent

Explicit consent

GDPR consent also means that the consent is explicit. Explicit consent is required under certain situations where there is a serious risk to data protection and a higher level of control over processing personal data is required. 

The need for explicit consent is referred to separately within the GDPR, namely in scenarios involving processing of sensitive categories of data, or for transfers of data to third countries or for automated decision making.

Processing sensitive personal data

Processing sensitive personal data that involve information about racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, and biometric data is prohibited under the GDPR.

One of the exemptions that are applicable in this case is if the individual whose sensitive data is being processed has given explicit consent to the processing of the personal data for specified purposes.

Transferring data to third countries

Under GDPR, transfer of personal data to a territory outside the EU i.e. a third country is based on an adequacy decision by the EU Commission. 

When a business is transferring personal data to a third country or international organization, they can do so with no specific authorization if the third country, or organization ensures an adequate level of protection. 

If an adequate level of protection is not present, data transfer is possible if the data subject gives explicit consent. In such cases, businesses have to give full disclosure of the potential risks due to a lack of appropriate safeguards.

Automate decision-making

GDPR gives individuals the right to object to automated processing, including profiling of their personal data.  The three conditions under which automated decision-making is allowed are — for the performance of the contract, the processing is authorized by the EU or member states, and when it is based on explicit consent.

According to Article 22 in case of contract and explicit consent, the business needs to implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” 

Consent fatigue and dark patterns

While privacy notifications and opt-in forms have become commonplace, consumers have reported what is referred to as consent fatigue. A Cisco survey noted that while 52% of respondents said that they felt more in control of their personal data post GDPR, 47% reported having received too many privacy and GDPR related notices. 

On one hand, users can be overburdened with too many popups and banners every time they access a website, read a blog, purchase goods or services. On the other hand, some businesses completely ignore or take a careless approach to GDPR consent requirements. Studies have found dark patterns in the cookie consent mechanism that veer users towards privacy-unfriendly choices. Research of the top 10,000 websites in the UK found that only 11.8% meet the minimal requirements of European privacy laws. 

Obtain cookie consent and
minimize your legal risk

Try for free

14-day free trialCancel anytime

Privacy laws have been driven by rising consumer expectations. Businesses, especially the ones with an online presence, therefore should strike a balance between GDPR consent needs, consumer expectations and regulatory compliance without compromising on their brand experience. 

Here’s a list of GDPR Compliance Checkers that help you determine your website’s GDPR compliance.

How to obtain GDPR consent?

Active opt-in forms

In June 2021, UK’s regulator ICO fined Papa John’s £10,000 for sending marketing texts and emails without active consent from users. If you want to steer away from fines, you should adopt a GDPR-friendly consent mechanism. 

If you collect information for marketing emails, and newsletters, you should seek active consent from users.  The forms should include an opt-in method such as a tick-box. Avoid pre-ticked boxes or any other method of default consent. Users must be informed of why you collect the data and agree to be contacted by you. Contact forms could even have a tooltip for each data field as a second layer of information, so there is no scope for ambiguity.

Newsletter opt-in form of The Resident.

Double opt-in emails

A good practice for your marketing mailing list is to enable double opt-in. The user first signs up via a subscription form and then receives a confirmation mail which the user has to click to finalize their subscription to your service. 

GDPR Consent
CookieYes uses a double opt-in for users who sign up for their marketing emails. 

For GDPR consent, it’s vital that your business can provide proof that a user has given their consent. A double opt-in ensures that the consent is active, not passive i.e no pre-ticked boxes or implied consent. It allows no scope for dispute as users have entered their details in a sign-up form and clicked a link in their inbox. While double opt-in is not required under GDPR, it is a foolproof way to demonstrate that users have given unambiguous consent.

Read more about opt-in and opt-out and how to implement them.

Opt-out/unsubscribe from emails

GDPR also requires that users be able to withdraw their consent easily. This means your marketing emails should have an opt-out mechanism. This could be a simple unsubscribe button. While most emails have a default unsubscribe option, it’s a good practice to add a custom unsubscribe or opt-out message in your email footers.

GDPR Consent Email
Shopify’s email footer features a clear unsubscribe and manage preferences option.

Ensure that opt-out of emails is simple and clear and does not involve multiple steps or other barriers that may jeopardize your GDPR compliance.

Cookie consent banner

GDPR consent is also required before deploying cookies on a user’s device because cookies can be considered personal data. For cookies other than strictly necessary cookies, websites are required to obtain active consent from users. This means notice-only cookie banners and implicit consent is no longer valid under GDPR. Websites cannot use pre-ticked boxes or toggles, bundled consent, only ‘accept’ buttons or similar dark patterns that distract users from making an active choice. 

Read this detailed checklist on the best practices for a GDPR compliant cookie consent banner.

GDPR Consent Banner
CookieYes lets users opt-in to specific cookie categories, link cookie/privacy policy and display accept and reject buttons.
GDPR Consent Banner
CookieYes banner also has a ‘Preferences’ button that features the cookie audit table with the details of cookies and their purposes. 

As seen in this example, cookie consent banners should give users a clear choice to accept or deny the use of cookies as well as the option to give granular consent. It should include clear information on the categories of cookies and what they are used for. 

CookieYes for GDPR cookie consent

The CookieYes banner can be fully customized for content, colour, layout, behaviour and can be geo-targeted and auto-translated in over 30 languages. It also features an auto-updated cookie table and revisit consent widget. 

You can also comply with multiple data privacy laws like the GDPR, CCPA, LGPD, and CNIL at the same time. With CookieYes, you can

  • Add a fully customizable cookie consent banner 
  • Block third-party cookies automatically till you obtain user consent 
  • Check cookies used by your website with automatic scanning
  • Record user consent for demonstrating proof of consent
  • Generate custom privacy policy and cookie policy for your website