What constitutes valid consent under GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Under GDPR, consent isn't just a checked box. It has four specific requirements, and if any one of them fails, the whole thing fails.

Affirmative action. The subscriber has to do something positive: check an unchecked box, click an opt-in button, type their address into a clearly-labeled subscription form. Pre-ticked checkboxes, silence, and inactivity don't qualify. They have to choose yes, not merely fail to choose no.

Specific and granular. Consent for marketing emails is separate from consent for data sharing with partners, and separate from consent for profiling. A bundled "agree to all" isn't valid when multiple purposes are involved. Subscribers should be able to say yes to your newsletter without saying yes to everything else you might want to do with their data.

Informed. Subscribers need to understand who will email them, what they'll send, and roughly how often. Vague language like "occasional updates from our partners" doesn't meet the standard. Clear, specific language does.

Freely given. You can't make access to your core service conditional on accepting marketing consent. If someone has to tick the marketing box to create an account, it's not freely given.

These four conditions work together. A consent that passes three and fails one is still invalid. For the flip side, what actively voids consent you've already collected, see what invalidates consent. And if you want to check your consent language against these standards, your consent records are where to start.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my consent language against the four GDPR requirements.

I read this on the Email Almanac about what constitutes valid consent under GDPR. I want to check whether my current consent setup meets all four GDPR requirements. My signup flow: 1. Is my opt-in checkbox pre-checked or unchecked? pre-checked / unchecked / no checkbox 2. What does the consent language say? paste it if you can 3. Is marketing consent bundled with account creation or separate? bundled / separate 4. Does someone have to accept marketing emails to use your service? yes / no 5. Does the consent cover multiple purposes (e.g., marketing + partner sharing + profiling)? yes / no / unsure --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, HubSpot, Klaviyo - Domain(s): your sending domain - Business type: B2B / B2C / newsletter / e-commerce - Audience locations: EU / UK / US / global - Applicable laws: GDPR / PECR / both / unsure - Privacy policy in place: yes / no / in progress

Edit the yellow boxes, then send to the AI of your choice.