What constitutes valid consent under GDPR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Under GDPR, consent isn't just a checked box. It has four specific requirements, and if any one of them fails, the whole thing fails.
Affirmative action. The subscriber has to do something positive: check an unchecked box, click an opt-in button, type their address into a clearly-labeled subscription form. Pre-ticked checkboxes, silence, and inactivity don't qualify. They have to choose yes, not merely fail to choose no.
Specific and granular. Consent for marketing emails is separate from consent for data sharing with partners, and separate from consent for profiling. A bundled "agree to all" isn't valid when multiple purposes are involved. Subscribers should be able to say yes to your newsletter without saying yes to everything else you might want to do with their data.
Informed. Subscribers need to understand who will email them, what they'll send, and roughly how often. Vague language like "occasional updates from our partners" doesn't meet the standard. Clear, specific language does.
Freely given. You can't make access to your core service conditional on accepting marketing consent. If someone has to tick the marketing box to create an account, it's not freely given.
These four conditions work together. A consent that passes three and fails one is still invalid. For the flip side, what actively voids consent you've already collected, see what invalidates consent. And if you want to check your consent language against these standards, your consent records are where to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.