Tracking Consent: When Is Consent Valid Under GDPR?

Tracking consent is only lawful under GDPR when people have a real choice, understand what they are agreeing to, and can change their mind without friction.

Tracking Consent Requirements Under GDPR

Freely given: Consent cannot be a precondition for accessing a service unless the data processing is genuinely necessary for that service. Bundling consent with terms of service or offering no meaningful alternative invalidates the consent.

Specific: Consent must be given for each distinct processing purpose. Blanket consent covering multiple unrelated purposes is not valid.

Informed: Individuals must understand what they are consenting to, including who will process their data, what data will be collected, and for what purpose. Information must be presented in clear, plain language.

Unambiguous: Consent requires a clear affirmative action. Pre-ticked boxes, silence, or continued browsing do not constitute valid consent.

Withdrawable: Individuals must be able to withdraw consent at any time, and the withdrawal process must be as easy as the consent process. Organizations must inform individuals of their right to withdraw before consent is given.

Common Pitfalls

Many consent mechanisms used in practice fail to meet GDPR standards. Cookie banners with only an "Accept" button, privacy policies that bury consent language in legal jargon, and consent forms that make rejection deliberately difficult all produce invalid consent. Organizations that rely on these mechanisms risk enforcement action.