What is Consent?
Consent in privacy law refers to an individual’s specific, informed, and freely given agreement to data processing, serving as a legal basis under GDPR and other privacy frameworks.
Valid Consent Requirements
GDPR-valid consent must be: freely given (no detriment for refusing), specific (for each processing purpose), informed (clear information about what’s being agreed to), unambiguous (clear affirmative action), and withdrawable (as easy to withdraw as to give). Pre-checked boxes, silence, or inactivity do not constitute valid consent. Sensitive data requires ‘explicit consent’ with additional requirements.
Consent in Practice
Practical consent implementation requires: clear language explaining processing purposes, granular options (separate consents for different purposes), accessible withdrawal mechanisms, records of consent (who, when, what, how), and re-consent when material changes occur. Cookie consent has become particularly visible — most websites now use consent management platforms to comply with ePrivacy and GDPR requirements.
Limitations of Consent
Consent is one of several legal bases under GDPR and not always the right choice. Consent fatigue (excessive consent requests) reduces meaningful choice. Other legal bases (contract performance, legitimate interests, legal obligations) may be more appropriate. Many organizations over-rely on consent rather than properly mapping each processing activity to the most appropriate legal basis. Consent should be used when truly meaningful, not as default cover.
References
- Turkish Law No. 6698 on the Protection of Personal Data (KVKK)
- Personal Data Protection Authority of Türkiye
- EU GDPR (Regulation 2016/679) — EUR-Lex
- U.S. Internal Revenue Service (IRS)
Practical notes: validity, burden of proof and withdrawal
For consent to be a valid lawful basis it must be freely given, specific, informed and unambiguous. Under the KVKK it generally takes the form of açık rıza (explicit consent) and cannot be bundled as a precondition for a service the person is otherwise entitled to receive. The data controller carries the burden of proving that valid consent was actually obtained, which is why consent flows should be logged with a timestamp, the text shown, and the version of the privacy notice in force at the time. Consent may be withdrawn at any moment, and withdrawal must be as easy as giving it; processing carried out before withdrawal stays lawful, but the controller must stop the relevant processing going forward. In practice consent is the most fragile basis: where another ground such as performance of a contract, a legal obligation or legitimate interest genuinely applies, relying on it is preferable because it is not revocable at will.