To be compliant with General Data Protection Regulation (GDPR) requirements, user consent obtained on websites, apps, or other platforms needs to fulfill several criteria.
Site visitors, customers, app users, and others must also be clearly notified about the legal basis for data processing, what data is processed and for what purposes, who may have access to the data, and other criteria.
We outline the seven criteria required for GDPR-compliant consent and explain what they mean and how to meet them using a consent management solution.
Consent under the GDPR
Consent is a key element that ensures individuals have control over their personal data. The GDPR allows for six legal bases for data processing, of which consent is the first one listed.
According to Art. 4(11) GDPR, which provides important definitions, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This means that for consent to be valid, it must be given willingly, be for specific purposes, be clearly understood by the data subject, and leave no room for doubt about the individual’s explicit agreement.
The goal of consent choices under the GDPR is to empower individuals, enabling them to make informed choices about their personal data, who can access it, and how it can be used.
Organizations must provide clear and accessible information about data processing and users’ rights to enable transparency, meet regulatory requirements, and build trust.
Consent must be an active and deliberate choice, so no pre-ticked boxes or default settings are allowed. Consent also has to be as easily revokable as it was given, and has an expiry date.
So obtaining consent from users once doesn’t mean you have it forever. Under the GDPR consent needs to be renewed every 12 months, but it differs under different regulatory requirements, so be sure to check the ones relevant to your business.
These requirements are designed to protect user privacy and give users more control over their personal data.
7 criteria for GDPR-compliant consent
The GDPR outlines specific consent criteria that must be met to ensure that consent is both meaningful and legally compliant.
These guidelines are designed to ensure that individuals can both easily understand their privacy rights and manage their data, thereby supporting their right to data privacy. Let’s take a closer look at each of them.
1. Consent is given freely
Consent is voluntary if the person has genuine freedom of choice in their consent decision.
Barring a user’s access to the website, e.g. with a privacy wall, or preventing access to features because an individual has not given their consent to use of marketing technologies, for example, is not compliant.
What does this mean for your cookie banner
There must be clear and equally visual and accessible “Accept” and “Reject” options. The “reject” button, for example, can’t be smaller, hidden, or omitted altogether. The user must have the option to refuse data processing and still have access to the ecommerce service, website, or app.
Users also need to be able to provide granular consent — for example, yes to analytics cookie use, no to marketing cookie use — rather than only “all or nothing” consent options.
Tips to ensure freely given consent
Avoid pre-checked consent boxes: Always leave consent checkboxes unchecked by default. This practice ensures that the consent given is a result of an active choice made by the user, rather than a passive acceptance. Similarly, do not hide or omit any consent options to limit user choice to your preferences.
Minimize data collection: Only collect data that is necessary for your specific stated purpose(s). For example, do not require a marketing email opt in as a condition of completing a purchase. This helps ensure that consent is freely given. If your purposes for data processing change, you need to get new consent for them.
Use separate consent forms for different data processing activities: Provide distinct consent functions for different purposes, such as one for user registration and another for newsletter signup. By separating consent and presenting the request in a more brief and contextually relevant way, individuals can better understand what they are consenting to.
2. Consent is informed
Consent is informed when the data subject — the person whose data you want to collect — is aware of all circumstances relating to data collection, processing, and storage, as well as their rights, and knowingly consents to them. They do not need to be forced to review everything in detail — e.g. all data processing services in use or the entire privacy policy — but they must have the option.
What does this mean for your cookie banner?
The following information should be easily accessible and presented in clear language to website visitors, likely via a link to the privacy policy from the cookie banner, as banners tend to be small and it’s a lot of information:
- What data is being collected? (E.g. email address, browsing information, IP address, cookie ID.)
- What is the legal basis for data processing? (E.g. consent.)
- Who may have access to or process the collected data?
- What is the purpose of collecting the data? (E.g. ecommerce transactions, analysis, or retargeting.)
- How long is the data stored?
- How is the data protected?
- In which country/region is the data collected, processed, and stored?
- Will the data be forwarded or accessible to third parties (including in other countries)?
- Where do I find the privacy policy of each tech provider involved in managing my data?
- What are data subjects’ rights and how can they be exercised?
Tips to ensure informed consent
- Use plain language: Avoid using legal jargon and technical terms.
- Clearly explain data usage: Be transparent about how you will use the data. Specify what data is being collected, under what legal basis, how it will be used, who it will be shared with, and how long it will be stored.
- Enable the right to withdraw consent: Inform individuals of their right to change or withdraw their consent at any time and how to do so. Ensure this is as straightforward as granting consent.
- Keep consent requests separate: Do not bundle consent with acceptance of terms of service, contracts, or other agreements. Provide distinct and clear consent options for different types of data processing.
- Regularly update consent practices: Review and update your consent practices regularly to ensure they comply with any changes to applicable regulations or to your data processing activities. Technologies and the legal landscape are always changing.
- Provide easy access to relevant policies: Make sure that your privacy policy is easy to access and understand from the point at which consent is being given. Link to more detailed documents where necessary. If you collect data via cookies on your website, ensure you have a clear and accessible cookie notice or policy as well.
3. Consent is explicit
Users must actively agree to share their data. Continuing to use the website, scrolling, or ignoring or closing the consent banner isn’t considered valid consent, particularly if tracking technologies are loaded immediately when the user arrives on the website.
What does this mean for your cookie banner?
Do not record affirmative user consent if the user has not made an explicit consent choice. Ensure that cookies and trackers are not activated until consent is received. Using a consent management platform that blocks all cookies in use until consent is received is also recommended.
Tips to ensure explicit consent
Explain each data use separately: Break down consent requests by individual data uses. This makes it clear to users exactly what they are consenting to and enables them to choose precisely which data processing activities they agree to.
Avoid long paragraphs: Keep your explanations concise and to the point. Long paragraphs can be overwhelming and may cause important details to be missed or misunderstood by users.
Use plain language: Using simple and clear language ensures that all users, regardless of their expertise or background, can easily understand what they are consenting to.
Make the consent options clear and prominent: Ensure that you can accurately record explicit user actions regarding their consent choices (and future changes). Like having clicked the “Accept” button, or having made granular selections of data processing services in use.
4. Consent is granular
The consent must be tag, component, or cookie-specific. This means that the user must have the option of knowing and choosing, at a granular level, which third-party providers and tracking technologies they are granting, denying, or withdrawing their consent for.
What does this mean for your cookie banner?
General consent with a simple “I agree to cookies” statement, or only offering an “Accept all” button, does not fulfill the GDPR requirements for explicit and informed consent. To ensure your cookie banner meets these stringent standards, it must go beyond basic acceptance to give users real choice.
- The banner should provide users with detailed options to consent to different types of cookies separately, such as necessary, performance, advertising, and analytics cookies.
- Clear explanations of each type of cookie and its purpose must be easily accessible, either directly on the banner or via a link. This information should not be buried in terms and conditions documents or other locations.
- Consent information must be kept up to date. In addition to providing a straightforward mechanism on your website for users to change their cookie settings at any time, you also need to ensure the information about the cookies in trackers you use is kept up to date, and obtain new consent if they change.
Tips to ensure consent is granular
Here are some effective tips to ensure that consent is granular.
- Use high-quality templates to provide information: A high performance CMP will provide a database of legal templates with information about thousands of data processing services, so you can select the relevant ones and don’t need to try and write them all up yourself. Usercentrics CMP has a database of over 2,200 templates.
- Employ clear language: Use plain language that can be easily understood by everyone to ensure users understand their consent options and that they can consent to or reject all data processing, or select what they agree to. Ensure the specific data processing services descriptions and processing purposes are also clearly presented.
- Separate consent for different activities: Provide separate consent options for different types of data processing activities. This enables users to choose exactly what they consent to and what they do not. It is also possible to enable contextual consent, requesting it in specific instances for specific uses, e.g. before playing a YouTube video or accessing a Google map. This makes the purpose of data collection even clearer.
5. Consent is given in advance
No personal data is to be collected before the user opts in. Without prior consent, data will be processed without a valid legal basis, which constitutes a violation according to Art. 83, par. 5 lit. a) GDPR.
If the user does not give consent, or revokes it, ensure that no data is collected or passed on from that point onward.
What does this mean for your cookie banner?
Use a consent management solution that enables the detection and blocking of all cookies and other trackers until consent has been obtained from users.
If you use Google services, using the latest version of Consent Mode (v2) enables you to obtain valid consent and signal it to Google services to ensure none of those tags fire without consent, either. Usercentrics CMP is Google-certified and comes with the latest version of Consent Mode integrated.
Here are some practical tips to help you secure consent before data collection begins.
- Implement a CMP: Use a CMP like Usercentrics to streamline the consent management process. This platform helps automate the collection and secure storage of consent, helping to ensure that it’s obtained in a compliant manner before any data processing occurs.
- Customize the CMP’s user interface: Select the visual appearance, text, buttons, logos, etc. to match your corporate branding to make the consent banner appear to be part of your website and workflow and draw user attention credibly when users arrive on your site, rather than looking like a third-party popup.
- Customize the CMP’s information: Set up your CMP to include information about all the data processing services you use, or use a consent management solution that automatically scans for, detects, and categorizes these services for you, as Usercentrics CMP does. This makes it faster and easier to provide accurate consent information in the consent banner to enable compliant consent management.
- Enable easy opt in/opt out: Design your consent interface to allow users to easily and quickly choose their consent preferences. Good user experience means that individuals can readily understand what’s being asked and make an informed choice so they can get on with using the website. People are more inclined to share their data if they understand why it’s being requested, how it can benefit them, and the process is not annoying.
6. Consent is documented
According to Art. 7 par. 1 GDPR all consents must be documented: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Website operators are subject to the burden of proof, and, in the event of a complaint or audit by a data protection authority, must be able to provide the complete consent history.
Additionally, data privacy laws usually provide users with the right to access their personal information, so you need to be able to provide their consent history as well for a data subject request.
What does this mean for your cookie banner?
You need to record and securely store relevant information about the user and their consent choices. A CMP records and securely stores all necessary consent information automatically.
Usercentrics CMP stores the information for 12 months, per GDPR requirements. If your company needs to comply with multiple data privacy regulations, you may need to record and store different consent data per other laws’ requirements as well.
Tips for documenting consent
The following tips will ensure that your documentation meets legal requirements for GDPR compliance.
- Record who consented: Document the identity of the individual who gave consent. This provides clarity on who has agreed to the data processing. Commonly this is done by assigning a unique identifier (which is considered personal data under some regulations).
- Detail what they consented to: Clearly record what specific actions or processing the individual consented to. This should include detailed descriptions of the exact data processing activities covered by the consent. If the user changes their consent preferences, these updates also need to be recorded.
- Timestamps: Include the date and time when the consent was given. Timestamps are crucial for verifying when consent was obtained and can be vital in disputes or audits, especially where there is a complaint that tracking was initiated before consent was given (or when it was not given).
- Consent method: Note the method through which consent was obtained, whether through a consent banner button or link, form checkbox, etc.
- Version control: If the terms of consent change over time, keep a comprehensive record of which version of the data processing terms the individual consented to.
- Withdrawal records: Keep a log of when and how consent withdrawals occur and cessation of data processing. Under the GDPR, data processing must cease as soon as consent is withdrawn.
7. Consent can be easily withdrawn
The user has the right to revoke their consent in whole or in part at any time and without justification. The process of revoking must be as simple as the granting of consent. Much like how you can’t prevent users from denying consent, you can’t prevent them from revoking it.
What does this mean for your cookie banner?
The mechanism to change or revoke consent, e.g. by reopening the consent banner, must be easily accessible from the website or app. Users can’t be required to scroll through the privacy policy or other document to find out what mechanism is needed to opt out.
It’s not technically sufficient to include a click-out in the data privacy statement that links to an opt-out form on a third-party website. If a user revokes their consent, you need to prevent their data from being passed to third parties.
Tips for easily withdrawn consent
Here are some actionable tips to make the process straightforward and user-friendly.
Equal ease of withdrawal and giving consent: However consent is obtained, e.g. with a simple toggle and button click, enable it to be withdrawn in the same manner.
Accessible withdrawal options: Clearly display options for withdrawing consent. Ensure these options are easy to find, such as having a dedicated “Privacy” or “Consent” section in user settings, and a button or link on the website to reactivate the consent banner to make changes.
Prompt confirmation: After a user decides to withdraw consent, confirm the action promptly. This reassures users that their choice has been respected and processed immediately.
Obtain GDPR-compliant consent with Usercentrics
Keeping up with the data privacy laws and business requirements relevant to your company is essential — not just for ticking regulatory boxes, but for protecting your revenue and building real trust with your users.
Understanding the criteria for valid consent under GDPR, ensuring clarity when obtaining consent, controlling cookie or tracker use until consent is obtained, and making it easy for users to withdraw their consent are all crucial steps toward GDPR compliance.
Usercentrics simplifies the process, making it easy and automated to manage consent in a way that’s both user-friendly and in line with GDPR requirements.