When Is GDPR Consent Valid? Requirements for Lawful Data Processing Consent

Consent is one of the most commonly used legal bases under the GDPR, but obtaining valid consent is more demanding than many organizations realize. Invalid consent means the underlying data processing is unlawful.

Requirements for Valid Consent

Freely given: Consent cannot be a precondition for accessing a service unless the data processing is genuinely necessary for that service. Bundling consent with terms of service or offering no meaningful alternative invalidates the consent.

Specific: Consent must be given for each distinct processing purpose. Blanket consent covering multiple unrelated purposes is not valid.

Informed: Individuals must understand what they are consenting to, including who will process their data, what data will be collected, and for what purpose. Information must be presented in clear, plain language.

Unambiguous: Consent requires a clear affirmative action. Pre-ticked boxes, silence, or continued browsing do not constitute valid consent.

Withdrawable: Individuals must be able to withdraw consent at any time, and the withdrawal process must be as easy as the consent process. Organizations must inform individuals of their right to withdraw before consent is given.

Common Pitfalls

Many consent mechanisms used in practice fail to meet GDPR standards. Cookie banners with only an "Accept" button, privacy policies that bury consent language in legal jargon, and consent forms that make rejection deliberately difficult all produce invalid consent. Organizations that rely on these mechanisms risk enforcement action.