Consent is a cornerstone of GDPR compliance, ensuring individuals maintain control over their personal data. For businesses and organizations, obtaining valid consent is more than a regulatory obligation—it’s a way to build trust with customers. Consent is the first of the Six Lawful Bases for Data Processing.

But what exactly does valid consent look like under GDPR? Under GDPR, consent is defined as a freely given, specific, informed, and unambiguous indication of agreement to personal data processing (Article 4(11)). In practice, this means individuals must actively agree to data use with a clear understanding of how their data will be processed.

Imagine everyday examples: subscribing to a newsletter, clicking “I agree” to accept cookies, or ticking a box to receive promotional offers. Each of these scenarios must comply with GDPR’s strict rules on consent.

Key Elements of Consent:

For consent to be valid, it must meet four key principles:

1. Freely Given: Individuals must have a real choice without pressure or consequences for refusal (Recital 42). For example, refusing marketing emails should not block access to a service.
2. Specific: Consent must be tied to a particular purpose. Agreeing to receive newsletters does not imply agreeing to share data with third parties.
3. Informed: Individuals must understand what they’re consenting to, including the purpose of processing and the identity of the data controller (Article 7(2)). A clear statement like “Your email will be used to send updates about our products” ensures informed consent.
4. Unambiguous: Consent must involve a clear action, such as ticking a box or signing a form. Pre-ticked boxes or vague language are not valid under GDPR (Recital 32).

How to Obtain Consent

For businesses, obtaining valid consent requires:

• Using clear, simple language in consent forms.
• Avoiding pre-ticked boxes or implicit agreements.
• Keeping records of consent to demonstrate compliance during audits.

For example, a compliant consent form might say:
“I agree to receive promotional emails from Cerberus DPS” with an unticked checkbox.

What Happens Without Valid Consent?

Failure to comply with GDPR’s consent requirements can have serious consequences. Businesses risk fines of up to €20 million or 4% of global turnover (Article 83).

In 2019, Google was fined €50 million by France’s CNIL for lack of transparency and insufficient consent practices when processing user data for personalized ads. This case highlights the importance of obtaining valid consent to avoid costly penalties and reputational damage.

Withdrawing Consent

Under GDPR, individuals can withdraw their consent at any time, and businesses must make this process as easy as giving consent (Article 7(3)). A straightforward option, such as an “unsubscribe” link in marketing emails or a clear opt-out form, ensures compliance and user satisfaction.

In conclusion, obtaining valid consent is not just about meeting regulatory standards; it’s about respecting individuals’ rights and fostering trust. By adhering to GDPR’s principles, businesses can enhance their credibility while safeguarding customer data.

References

1. GDPR Article 4.
2. GDPR Article 6.
3. GDPR Article 7.
4. GDPR Article 83.
5. Recital 32: Conditions for Consent
6. Recital 42: Freely Given Consent
7. CNIL’s €50M Fine on Google.