TLDR:
Consent in privacy law refers to an individual’s specific, informed, and freely given agreement to data processing, serving as a legal basis under GDPR and other privacy frameworks.
Valid Consent Requirements
GDPR-valid consent must be: freely given (no detriment for refusing), specific (for each processing purpose), informed (clear information about what’s being agreed to), unambiguous (clear affirmative action), and withdrawable (as easy to withdraw as to give). Pre-checked boxes, silence, or inactivity do not constitute valid consent. Sensitive data requires ‘explicit consent’ with additional requirements.
Consent in Practice
Practical consent implementation requires: clear language explaining processing purposes, granular options (separate consents for different purposes), accessible withdrawal mechanisms, records of consent (who, when, what, how), and re-consent when material changes occur. Cookie consent has become particularly visible — most websites now use consent management platforms to comply with ePrivacy and GDPR requirements.
Limitations of Consent
Consent is one of several legal bases under GDPR and not always the right choice. Consent fatigue (excessive consent requests) reduces meaningful choice. Other legal bases (contract performance, legitimate interests, legal obligations) may be more appropriate. Many organizations over-rely on consent rather than properly mapping each processing activity to the most appropriate legal basis. Consent should be used when truly meaningful, not as default cover.