Consent — in German Einwilligung — is one of the six lawful bases for processing personal data under the GDPR, and also one of the most misunderstood. Far from a formality, valid consent under the GDPR is a high bar: it must be freely given, specific, informed, and unambiguous, and the individual must be able to withdraw it as easily as they gave it. Many organisations rely on consent when another basis would serve better, and many obtain consent in ways that do not actually meet the standard.
Consent as one basis among six
The GDPR permits processing only on one of six lawful bases, of which consent is just one; the others are contract, legal obligation, vital interests, public task, and legitimate interests. A common error is to treat consent as the default, when often a contract or legitimate interests is the more appropriate and more robust basis. Because consent can be withdrawn at any time, building essential processing on it can be fragile. Choosing the right basis is the first decision, before any consent mechanism is designed.
Freely given
Consent is only valid if the individual has a genuine, free choice. It is not freely given if it is bundled into terms and conditions, if refusing it means losing access to a service that does not actually require the processing, or if there is a clear imbalance of power between the parties — such as between an employer and employee. The freedom of the choice is what distinguishes real consent from a box people feel forced to tick.
Specific
Consent must be specific to defined purposes. A single blanket consent covering many unrelated processing activities does not qualify; the individual must be able to consent to some purposes and not others. This is why granular consent options — separate choices for separate purposes — are required where multiple purposes exist. Lumping everything together undermines the specificity the GDPR demands.
Informed
For consent to be informed, the individual must know who is processing their data and for what purposes before they agree. This means clear, plain-language information presented at the point of consent, not buried in a lengthy policy. If people do not understand what they are agreeing to, their consent is not informed and therefore not valid — which makes the clarity of consent requests a legal matter, not just a design preference.
Unambiguous and affirmative
Consent must be expressed through a clear affirmative action — an unambiguous indication of the individual’s wishes. Pre-ticked boxes, opt-out mechanisms, silence, or inactivity do not constitute consent. The individual must actively do something to signal agreement, such as ticking an unticked box or clicking an explicit button. This requirement alone invalidates many older consent designs that relied on default opt-ins.
The right to withdraw
Individuals must be able to withdraw consent at any time, and withdrawing must be as easy as giving it. Once consent is withdrawn, the processing that relied on it must stop, though it does not retroactively make past processing unlawful. Designing an easy withdrawal mechanism — not buried, not harder than the original opt-in — is a requirement, and a frequent point of failure where giving consent takes one click but withdrawing takes an email and a wait.
Demonstrating consent
The GDPR’s accountability principle means the controller must be able to demonstrate that valid consent was obtained — who consented, when, to what, and how. This requires keeping records of consent: the version of the information presented, the action taken, and the timestamp. Consent that cannot be evidenced is, for practical purposes, consent that cannot be relied upon if challenged.
Consent for special-category data
Where processing involves special categories of data — such as health, biometric, or data revealing beliefs — and consent is the chosen route, it must be explicit, a higher standard than ordinary consent. This typically means a clear, express statement of agreement rather than a more general affirmative action. The sensitivity of the data justifies the heightened requirement.
Children’s consent
The GDPR sets special rules for children in the context of information-society services, requiring parental authorisation below a certain age threshold, which member states set within a defined range. Services likely to be used by children must therefore consider age verification and parental consent mechanisms. This is an area where getting consent wrong carries particular sensitivity and risk.
Designing compliant consent
In practice, valid consent means: choosing consent only when it is the right basis; presenting clear, specific information; using unticked, granular, affirmative controls; making withdrawal easy; and logging everything. For software products, this translates into well-designed consent flows and a consent record store. Innopulse builds these patterns into DACH products so that consent is both user-friendly and demonstrably compliant, rather than a liability waiting to be challenged.
Conclusion
Valid consent under the GDPR is a demanding standard: freely given, specific, informed, and unambiguous, expressed by clear affirmative action, easily withdrawable, and fully documented. It is only one of six lawful bases, and often not the best one. Organisations that understand when to use consent — and that design granular, transparent, well-logged consent mechanisms — avoid one of the most common and most challengeable weaknesses in data protection compliance.