TLDR:
Explicit consent is a clear, unambiguous affirmative action by an individual to permit specific data processing, required under GDPR and other privacy laws for sensitive data and certain other situations.
Requirements for Valid Explicit Consent
Valid explicit consent must be freely given, specific, informed, and unambiguous. The data subject must take a clear affirmative action — pre-checked boxes, silence, or inactivity don’t qualify. The request must be presented in clear, plain language separate from other terms. Consent must be withdrawable at any time with no detriment, and as easy to withdraw as to give.
When Explicit Consent is Required
GDPR requires explicit consent for: processing sensitive data, automated decision-making with legal effects, cross-border transfers to countries without adequacy decisions, and certain marketing activities. ePrivacy rules require consent for cookies (beyond strictly necessary). Healthcare and financial services often require explicit consent under sector-specific regulations.
Documenting Consent
Organizations must maintain records demonstrating valid consent including: who consented, when, what they were told, how consent was given, and any subsequent withdrawal. Consent management platforms help automate this. Without proper records, organizations cannot demonstrate compliance — and regulators frequently fine companies for inability to prove valid consent.