Skip to main content

Consent Management

GDPR Consent & Cookie Compliance Guide

What is GDPR Consent?

Consent is one of six legal bases for processing personal data under Article 6(1)(a). It must be freely given, specific, informed, and unambiguous (Article 4(11)).

Key Principle: True consent requires a clear affirmative action - silence, pre-ticked boxes, or inactivity do NOT constitute consent (Recital 32).

GDPR Consent Requirements

✅ Freely Given

No coercion, pressure, or conditioning of service on irrelevant consent

✅ Specific

Separate consent for different purposes - no bundled consent

✅ Informed

Clear language, identity of controller, purposes, right to withdraw

✅ Unambiguous

Clear affirmative action (e.g., ticking unticked box, clicking "I agree")

✅ Easy to Withdraw

Must be as easy to withdraw as to give consent (Article 7(3))

✅ Provable

Must be able to demonstrate consent was obtained (Article 7(1))

Cookie Consent (ePrivacy Directive)

ePrivacy Directive requires consent for non-essential cookies. This works alongside GDPR - cookies that process personal data need GDPR-compliant consent.

✅ Strictly Necessary (No Consent Required)

Essential for website functionality

  • • Session cookies (shopping cart, authentication)
  • • Load balancing cookies
  • • Security cookies (CSRF protection)

⚠️ Non-Essential (Consent Required)

All other cookies need explicit opt-in consent

  • • Analytics (Google Analytics, etc.)
  • • Marketing/advertising cookies
  • • Social media widgets
  • • Personalization cookies

Quick Start Guide

  1. 1
    Identify consent points
    Where do you collect personal data? (Forms, cookies, tracking, etc.)
  2. 2
    Create consent records
    Platform logs: who, what, when, how consent was obtained
  3. 3
    Implement cookie banner
    Use our cookie consent platform or integrate with your existing solution
  4. 4
    Enable easy withdrawal
    Provide "Manage Cookies" link in footer + user account settings

Common Consent Mistakes to Avoid

❌ Pre-Ticked Boxes

Consent boxes must be unticked by default. User must actively tick them.

❌ Bundled Consent

Must have separate consent for different purposes (e.g., newsletter vs marketing calls).

❌ Forced Consent

Cannot condition service on consent for non-essential processing (e.g., "Accept marketing or no account").

❌ Cookie Walls

"Accept cookies or leave" is generally NOT valid consent (no genuine choice).

❌ No Proof of Consent

Must log: who consented, when, to what, how (Article 7(1) - controller must demonstrate consent).

Common CCO Scenarios

📧 Email Marketing Consent

Scenario: New user signs up, you want to send marketing emails

Solution: Separate unticked checkbox → "I agree to receive marketing emails" → Log consent in platform

✅ Best Practice: Include unsubscribe link in every email (easy withdrawal)

🍪 Website Cookie Consent

Scenario: Website uses Google Analytics + Facebook Pixel

Solution: Cookie banner with granular options → Analytics + Marketing toggles → Don't load scripts until consent given

✅ Requirement: Must not load tracking cookies before consent (ePrivacy)

🔄 Re-Consent After Policy Change

Scenario: Privacy policy updated with new processing purposes

Solution: Existing consent invalid for NEW purposes → Must obtain fresh consent → Email users with new consent request

✅ Requirement: Consent is purpose-specific (Article 6(1)(a))

When to Use Consent vs Other Legal Bases

Important: Consent is just ONE of SIX legal bases (Article 6). Don't default to consent if another basis is more appropriate.

✅ USE Consent For:

  • • Optional processing (marketing, non-essential cookies)
  • • Special category data (health, biometric) when no other basis
  • • When user has genuine choice and control

✅ DON'T USE Consent For:

  • • Processing necessary for contract (use Art. 6(1)(b) instead)
  • • Legal obligations (use Art. 6(1)(c) instead)
  • • Service provision (use legitimate interests Art. 6(1)(f) if appropriate)
💡 Why this matters: Consent can be withdrawn at any time. If you rely on consent for essential processing, withdrawal means you must stop that processing.

Frequently Asked Questions

Can I use "implied consent" (e.g., continued use of website)?

❌ NO - Implied consent is NOT valid under GDPR

Consent must be a clear affirmative action (Article 4(11), Recital 32).

Examples of INVALID consent:

  • Silence or inactivity
  • Scrolling or browsing
  • Pre-ticked boxes
How long is consent valid for?

GDPR doesn't specify an expiry period. Consider:

  • Context: More sensitive data = shorter validity
  • Frequency: Regular contact keeps consent "fresh"
  • Changes: Must re-consent if purposes change

💡 Best Practice: Re-confirm consent every 1-2 years for marketing

What should I log to prove consent?

Our platform automatically logs:

  • Who: Data subject identifier (email, user ID)
  • What: Exact wording shown, what they consented to
  • When: Timestamp of consent
  • How: Method (checkbox, banner, etc.)
  • Where: Page URL, form name

✅ Stored for audit trail (Article 7(1) - controller must be able to demonstrate)

Ready to Manage Consent?

Track, log, and manage all consent records with GDPR-compliant workflows and cookie consent integration.

Manage ConsentCompliance Hub