GDPR Consent Requirements: What Counts as Valid Consent (2026)

Under GDPR Article 4(11), valid consent requires four cumulative conditions: the individual must give it freely, for a specific purpose, with full information, and through an unambiguous affirmative action. Article 7 then requires controllers to document that consent, allow easy withdrawal, and avoid conditioning service access on non-essential processing agreements.

Consent is one of the six lawful bases for processing personal data under the GDPR. When an organisation relies on it, the standards are strict. A privacy policy buried in terms and conditions does not qualify. A pre-ticked checkbox does not qualify. Inactivity does not qualify.

Getting consent wrong can trigger enforcement fines. Getting it wrong at scale -- as Google and SHEIN discovered in September 2025 -- can mean nine-figure penalties. This guide explains what valid consent requires, when consent is the right basis (and when it is not), and what the 2024-2026 regulatory developments mean in practice.

For a full overview of the regulation, see What Is GDPR. For cookie-specific rules, see the ePrivacy Directive guide. For a step-by-step compliance programme, see the GDPR compliance checklist.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.

Quick Answer: What Makes Consent Valid Under GDPR?

Article 4(11) of the GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

Four elements must all be present at the same time. Missing even one invalidates the consent entirely.

• Freely given -- genuine choice, no coercion, no bundling with unrelated conditions
• Specific -- separate consent for each distinct purpose
• Informed -- clear, plain-language explanation of who, what, and why before the individual decides
• Unambiguous -- a positive opt-in act; silence or inactivity is never enough

Article 7 then adds conditions on how consent must be managed once obtained. The EDPB Guidelines 05/2020 on consent remain the authoritative interpretation of these requirements.

The Four Elements in Detail

1. Freely Given

Consent is only valid if the individual has a genuine, free choice and can refuse without suffering any disadvantage.

Power imbalance. When there is a significant imbalance between the controller and the data subject, consent is unlikely to be freely given. The clearest example is the employment relationship. Employees may feel they have no practical ability to refuse their employer's data processing requests. The EDPB guidelines warn that in most employment contexts, consent will not be a valid basis precisely because of this asymmetry.

Conditionality. Under Article 7(4), organisations cannot bundle consent to non-essential processing with access to a service. An e-commerce site that requires customers to consent to marketing emails as a condition of completing a purchase invalidates the consent. The consent is not free if refusal blocks the service.

Granularity. A single "I agree to all data uses" checkbox covering multiple unrelated purposes does not satisfy the specificity requirement and undermines freedom of choice. Individuals must be able to accept some purposes and decline others independently.

No detriment. Refusing or withdrawing consent must carry no penalty, degraded service, or restricted access beyond what is strictly necessary. If a platform downgrades features for users who decline optional data processing, the consent obtained from those who agree is open to challenge.

2. Specific

Consent must be tied to each individual processing purpose. Blanket consent covering all current and future data uses is invalid.

The EDPB guidelines require a separate consent request for each distinct operation. If an organisation collects email addresses for a newsletter and also wants to share them with third-party advertisers, it needs two separate consent requests -- presented independently, not stacked under a single checkbox.

Purpose creep is a common problem. An organisation that later wants to use data for a purpose not covered by the original consent cannot simply rely on that original consent. It must seek a new, specific consent for the new purpose, or identify a different lawful basis.

3. Informed

Individuals must receive enough information to make a meaningful decision before they consent. The European Commission guidance specifies the following must be disclosed at the time of the consent request:

• The identity of the controller
• The specific purpose of each processing operation
• The types of data to be collected and processed
• The right to withdraw consent at any time
• Whether data will be used for automated decision-making or profiling
• Any international data transfers, if applicable

This information must be in clear, plain language. Hiding it behind a link to a lengthy privacy policy, or presenting it in legalese, does not satisfy the informed requirement. The EDPB has consistently held that layered notices -- short summaries with accessible links to full detail -- are acceptable, but the core information must be genuinely accessible and understandable before the consent action is taken.

4. Unambiguous (Clear Affirmative Action)

The GDPR and Recital 32 are explicit: silence, pre-ticked boxes, and inactivity do not constitute consent.

Valid affirmative actions include:

• Ticking an unticked opt-in box
• Clicking an "I consent" or "Accept" button where the processing information is clearly presented
• Choosing specific settings on a privacy dashboard
• Signing a written consent form
• Making an oral statement (though documenting this is difficult)

Scrolling through a page, remaining on a site after a notice appears, or failing to untick a pre-ticked box are not affirmative actions. The Planet49 case (CJEU, Case C-673/17, October 2019) settled this conclusively: the Court held that a pre-ticked box does not constitute valid consent under either the ePrivacy Directive or the GDPR, because it does not reflect active behaviour by the user.

The Article 7 Conditions for Managing Consent

Article 4(11) defines what consent is. Article 7 governs how it must be managed once obtained.

Demonstrability (Article 7(1))

The controller must be able to demonstrate that the data subject consented. This is an ongoing obligation, not a one-time event. The ICO guidance on recording consent recommends documenting:

• Who consented (enough detail to identify the individual)
• When they consented (date and time)
• What they were told at the time (the exact consent statement or form as presented)
• How they consented (online checkbox, verbal, signed form)
• Whether consent has since been withdrawn, and when

Storing a bare "consent = true" flag is insufficient. If the consent statement later changes, version histories must be kept so the organisation can prove exactly what each individual agreed to at the time.

Intelligibility and Accessibility (Article 7(2))

Where consent is given in the context of a written declaration covering other matters (such as terms of service), the consent request must be clearly distinguishable, in plain language, and must not use unnecessarily complex wording. Any provision that does not comply with the GDPR is not binding.

Right to Withdraw (Article 7(3))

Two rules are non-negotiable.

Withdrawal must be as easy as giving consent. If consent was given with one click, withdrawal must be achievable with no more than one click. Requiring a phone call, a letter, or navigation through several account settings menus to withdraw consent originally given by ticking a box is a violation. Enforcement actions have cited this breach directly.

The right to withdraw must be communicated before consent is obtained. Informing individuals of their withdrawal right only after they have already consented does not satisfy Article 7(3).

Withdrawal is not retroactive. Processing that occurred while consent was valid remains lawful. However, the organisation must cease all consent-based processing immediately going forward.

No Detriment (Article 7(4))

The conditionality rule is codified here: when assessing whether consent is freely given, utmost account is taken of whether the performance of a contract is conditional on consent to processing not necessary for that contract.

Consent vs. the Other Five Lawful Bases

Consent is only one of six lawful bases under Article 6. Many organisations default to consent when a different basis would be simpler, more stable, and legally sounder.

Why choosing consent carelessly creates problems. Consent generates ongoing management overhead: maintaining records, providing withdrawal mechanisms, re-obtaining consent when purposes change, and handling withdrawal requests. If a different basis legitimately applies, it is almost always more practical to use it. The ICO guidance on when consent is appropriate recommends consent only when you genuinely want to give individuals ongoing control over processing that is not otherwise required.

Organisations also cannot switch bases retrospectively. If consent is withdrawn, the organisation cannot simply declare it was relying on legitimate interests all along unless that basis genuinely applied from the start and was documented as such.

Explicit Consent for Special-Category Data

Article 9 prohibits processing special categories of data -- health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life or sexual orientation -- unless a specific exception applies. One exception is "explicit consent."

Explicit consent is a higher standard than ordinary consent. It requires:

• A clear, express statement specifically referencing the sensitive data category and the processing purpose
• Active, unambiguous confirmation -- implied or inferred consent is never enough for special-category data
• Separate consent from any general consent to other processing

A generic "I agree to my data being processed" does not satisfy explicit consent for health data. The consent must name the data type and purpose directly.

Children's Consent (Article 8)

Article 8 imposes additional requirements when offering information society services (ISS) directly to children. An ISS covers social media platforms, apps, online games, streaming services, and most commercial websites that collect personal data.

Age Thresholds Across Europe

The GDPR sets the default age threshold at 16. Below that age, parental consent is required. Member states may lower the threshold to a minimum of 13. The result is a patchwork:

A service operating across multiple EU member states must apply the age threshold of each country for users in that country, not a single EU-wide age.

Verification and Age Assurance

Article 8(2) requires "reasonable efforts" to verify that parental consent was given. What counts as reasonable is proportionate to the processing risks involved. The EDPB Statement 1/2025 on age assurance addresses the growing use of technical age-verification tools and recognises that age estimation, age verification, and self-declaration represent different levels of assurance suited to different risk contexts.

Age assurance is also increasingly relevant under the Digital Services Act, which imposes separate obligations on very large online platforms concerning minors. The EDPB's Guidelines 3/2025 on the interplay between the DSA and the GDPR address the interaction between these regimes.

Preventive and Counseling Services

Article 8 does not apply to counseling and preventive services offered directly to children to protect their welfare. Such services may process children's data without parental consent where parental involvement would be contrary to the child's interests.

Cookie Consent and the ePrivacy Directive

Cookie consent currently operates under the ePrivacy Directive (Directive 2002/58/EC), not the GDPR directly. When cookies involve personal data, the GDPR applies to the subsequent processing of that data, but the permission to set the cookie in the first place is governed by ePrivacy. For the full framework, see the ePrivacy Directive guide.

The Key Rule: Consent Is Mandatory for Non-Essential Cookies

Legitimate interest cannot be used as the basis for setting non-essential cookies. The ePrivacy Directive requires consent for storing information on a user's device. That consent must meet all GDPR standards. This was confirmed in Planet49 (Case C-673/17) and is reiterated in every major DPA's cookie guidance.

Cookies That Require Consent

• Analytics and measurement cookies (Google Analytics and similar tools)
• Advertising and behavioural tracking cookies
• Social media plugins and share buttons
• Personalisation cookies not strictly necessary for the service

Cookies That Do Not Require Consent

Strictly necessary cookies are exempt. These include:

• Session management (shopping carts, login state)
• Security and fraud prevention cookies
• Load-balancing tokens
• User preference cookies for accessibility or language settings

Cookie Banner Requirements

The EDPB Cookie Banner Taskforce report identified the most common violations:

• No "reject all" option at the first layer (making refusal harder than acceptance)
• Pre-ticked checkboxes for optional cookies
• Deceptive design patterns steering users toward accepting
• Invoking legitimate interest as a basis for advertising cookies
• Making withdrawal of cookie consent more difficult than giving it

The EDPB Guidelines 03/2022 on deceptive design patterns address banner manipulation in detail and apply to social media platforms and other online services alike.

The "Consent or Pay" Model and EDPB Opinion 08/2024

Large online platforms have increasingly offered users a binary choice: consent to behavioural advertising or pay a subscription fee. In April 2024, the EDPB issued Opinion 08/2024, requested by the Dutch, Norwegian, and Hamburg data protection authorities.

Core conclusion. In most cases, a large online platform cannot satisfy the requirements for valid consent when it presents users only with a binary choice between consenting to behavioural advertising data processing or paying a fee. The opinion does not declare these models always unlawful, but it sets strict conditions.

What the opinion requires:

1. The "consent" option must genuinely satisfy all four GDPR consent conditions, including being freely given.
2. The paid alternative must be a genuine equivalent service, not a degraded version.
3. Platforms should consider offering a third option -- access supported by contextual advertising (non-behavioural), which does not require personal data processing beyond what is strictly necessary for content display.
4. The fee charged must not be set so high as to effectively coerce consent from users who cannot afford to pay.

The EDPB committed to developing fuller guidelines on "consent or pay" models with broader scope. A stakeholder consultation event was held in November 2024.

This opinion is directly relevant to social media platforms, news publishers, and any service that has implemented or is considering a subscription-based alternative to ad-funded free access.

DMA and GDPR: Gatekeeper Obligations

For platforms designated as "gatekeepers" under the Digital Markets Act, additional constraints apply. In 2025, the EDPB and European Commission jointly issued guidelines on the interplay between the DMA and the GDPR. These clarify how gatekeepers must implement Article 5(2) DMA -- which requires specific choice and valid consent for combining personal data across core platform services -- in a way that is also compliant with the GDPR. For platforms that are both DMA gatekeepers and subject to the GDPR, both sets of requirements apply simultaneously.

Common Consent Mistakes

DPA enforcement decisions and EDPB audit findings consistently identify the same failures. These are the most common:

1. Treating consent as the default basis without reviewing alternatives. Many organisations consent-wash operations that could legitimately rely on contractual necessity or legitimate interests. This creates unnecessary withdrawal obligations and complicates operations when users later exercise the right to withdraw.

2. Pre-ticked boxes or no reject option. Still the single most cited cookie consent violation. The reject option must be as prominent and as easy to use as the accept option at the first layer of any cookie banner.

3. Making withdrawal harder than giving consent. Requiring phone calls, letters, or navigating buried account settings to undo consent given by clicking a button is a direct Article 7(3) breach.

4. Bundled consent. A single checkbox covering newsletter subscription, profiling for advertising, and third-party data sharing is invalid. Each purpose needs a separate, independently presented checkbox.

5. No version control on consent statements. Changing a consent form without keeping the prior version means the organisation cannot prove what any individual who consented before the change actually agreed to.

6. Misclassifying analytics cookies as strictly necessary. Measuring how users navigate a site is useful but not strictly necessary to deliver the service. Analytics cookies require consent.

7. Continuing to process after withdrawal. Systems must have a mechanism to immediately cease consent-based processing when a withdrawal is recorded. Delays in downstream systems fed by a CRM are a recurring source of complaints.

8. Using legitimate interest for cookie-based tracking. This remains explicitly prohibited under the current ePrivacy framework. Citing it in a cookie consent notice does not make it lawful.

Enforcement Examples

CNIL v. Google (September 2025, 325 Million Euros)

The French CNIL imposed a combined fine of 325 million euros on Google LLC (200 million euros) and Google Ireland Limited (125 million euros) in September 2025. The investigation, which followed a complaint from NOYB, found two distinct violations. First, Gmail displayed promotional messages inserted between private emails in users' inboxes without consent. Second, during account creation, the consent design made it materially harder to refuse advertising cookies than to accept them, and failed to inform users that Google group service access depended on the placement of advertising cookies. The CNIL ordered Google to stop inserting advertisements into Gmail without prior consent within six months.

CNIL v. SHEIN (September 2025, 150 Million Euros)

In the same enforcement cycle, the CNIL fined SHEIN's Irish subsidiary Infinite Styles Services Co. Limited 150 million euros for placing advertising cookies on users' devices before any interaction with the consent banner -- that is, before the user had the opportunity to accept or refuse. The investigation also found that even when users clicked "refuse all," cookies continued to be placed and previously-set cookies continued to be read. With approximately 12 million French residents visiting the site monthly, the scale of the violation drove the penalty size.

Meta Behavioural Advertising (EDPB Binding Decision, 2023)

In 2023, the EDPB issued an urgent binding decision directing the Irish Data Protection Commission to order Meta to cease processing personal data for behavioural advertising without a valid lawful basis. This decision, enforced across the EU through the one-stop-shop mechanism, resulted in Meta shifting away from its previous "legitimate interests" and "contract performance" justifications toward a consent-based model in the EU/EEA.

Recent and Upcoming Developments (2025-2026)

November 2025: The Digital Omnibus Package

On 19 November 2025, the European Commission published its Digital Omnibus Package, a broad simplification initiative proposing amendments to the GDPR, the ePrivacy Directive, NIS2, and the Data Act.

The most significant proposed changes for consent and cookie law are:

Moving cookie rules into the GDPR. The proposal would remove the processing of personal data from the ePrivacy Directive's scope entirely, consolidating personal data cookie rules under the GDPR alone. The current two-step framework -- ePrivacy Directive for the device access permission, GDPR for subsequent processing -- would be replaced by a single harmonised rule.

Consent fatigue measures. The proposals include a single-click refusal option wherever consent is relied upon, a restriction on repeat consent requests for the same purpose within six months of a refusal, and a move toward browser-based machine-readable preference signals.

Whitelist for analytics and aggregated measurement. A proposed whitelist would allow certain low-privacy-risk processing -- including basic analytics and aggregated audience measurement -- to proceed on a legitimate interest basis without consent banners, subject to safeguards including data minimisation.

Browser-based consent signals. The proposals envision technical standards for consent signals built into browsers and operating systems, making individual site-by-site consent dialogues unnecessary for users who have already expressed their preferences. These standards do not yet exist, and the mechanism would not be mandatory until approximately 2028 at the earliest.

Status. The Digital Omnibus remains a legislative proposal. It must pass through trilogue negotiations between the Commission, the European Parliament, and the Council before becoming law. Nothing in it changes current compliance obligations today.

EDPB Summary on Consent (April 2026)

In April 2026, the EDPB published a concise summary on consent to help organisations understand when consent is required, what it must look like, and what obligations it creates. The document complements the full Guidelines 05/2020 with a more accessible overview aimed particularly at small and medium-sized businesses.

More GDPR Guides

• What Is GDPR for a comprehensive overview of the regulation
• GDPR Compliance Checklist for a step-by-step compliance guide
• GDPR Fines and Penalties for enforcement data and the consequences of non-compliance
• GDPR Data Subject Rights for all eight individual rights
• GDPR Breach Notification 72-Hour Rule for breach reporting obligations
• GDPR for Small Businesses for SME-specific guidance
• EU Cookie Law (ePrivacy Directive) for the full cookie consent framework
• EU Data Privacy Laws for the complete EU data protection overview