What are the different types of consent?

Consent is a critical requirement for data privacy compliance in many laws around the world. But like the laws themselves, ideas about consent, its applications, and the type required for different scenarios is evolving. We look at consent types, when they are used, and benefits and risks.
Resources / Blog / What are the different types of consent?
Published by Usercentrics
9 mins to read
Aug 14, 2024
Start scan

If you operate an online business, whether via a website, mobile app, or both, your business needs a clear understanding of user consent for their data. As privacy protection laws become increasingly strict, failure to gain proper consent from visitors, customers, and users can lead to both hefty fines and brand distrust.

But there are many different types of consent, all with specific requirements levied by regulatory bodies. Understanding what consent you need and when and how you need to request it can help you build brand loyalty, make better decisions for your business, comply with regulations, and avoid penalties for noncompliance.

While there are two main consent models used in privacy regulations around the world, the conditions for valid consent under different data processing circumstances vary more widely. We break down what they are, where they’re relevant, and how to comply with them.

Opt-in vs. opt-out consent

Digital marketers need to obtain valid opt-in consent from users, for functions like subscribing to a newsletter or using their data to personalize ads shown to them. Similarly, users need the option to opt out of data-driven activities, such as unsubscribing from a newsletter or withdrawing from data collection for advertising or analytics.

Along with marketing functions, opt-in and opt-out consent also applies to cookie banners. A consent banner employed for CCPA/CPRA-compliant consent would include an opt-out option, and requires the phrase “Do Not Sell Or Share My Personal Information”. Users can click that link at any time, but companies don’t need to get consent before they start collecting users’ data in most cases. If the user has not explicitly opted out, consent is implied.

A cookie banner that follows an opt-in model would require users to manually click an “Accept” button or similar explicit action to agree to the data collection practices and purposes communicated. This style of banner is mandatory under GDPR law for consent to be valid.

In most cases it is not compliant to prevent users from accessing sites or their features if they decline consent, e.g. with a consent wall that can’t be bypassed, or for them to have a lesser user experience if they don’t consent. Here are tips for creating cookie banners that meet legal requirements.

Informed consent

Informed consent was once predominantly applied in sectors like research, healthcare, and media studies. But it’s becoming increasingly applicable in online data protection and relevant to marketers, especially since the introduction of the General Data Protection Regulation (GDPR) in the European Union.

Informed consent requires users to be informed of the details of digital data collection. Regardless of the consent model, all data privacy laws require that data subjects are provided with information about data collection and use and their rights.

  • What data is collected, e.g. name, email address, browsing history, location data, etc.
  • How the data is used: the purpose(s) for collecting the data should be specific and transparent, e.g., for personalization, targeted advertising, analytics, etc.
  • Potential risks and benefits: users should be aware of potential risks, like data breaches or regulated activities, like targeted marketing, and benefits they might receive from consenting, e.g. more personalized communications and offers
  • Control over data: users should be able to clearly understand how they can control their information, such as opting out of some or all data collection, accessing their data, or requesting its correction or deletion.

Informed consent is especially relevant for businesses that are required to comply with the GDPR. Organizations that fail to obtain proper informed consent in the EU can be heavily fined.

Since then, Google has introduced solutions for data privacy protection with tools like Google Consent Mode and updates to its EU user consent policy.

Explicit consent

Explicit consent is clear and unambiguous on the part of the data subject. With informed consent, the individual knows what their data will be used for and what their rights are. With explicit consent, the user must perform a clear, dedicated action to express their acceptance with the request for access to their data.

Examples of this include:

  • Opt-in mechanisms, such as ticking a box or clicking a button that says “I Agree” in a cookie banner.
  • Detailed permission requests, such as subscribing to marketing emails (especially with double opt-in) or allowing tracking for a map app.

By using explicit consent, not only are you meeting regulatory requirements, but you’re demonstrating respect for data privacy and building stronger trust with your users.

Granular consent

Granular consent involves requesting separate consent for different data processing purposes.

For example, rather than a cookie banner that only gives users the option to “Accept All” for cookies and other trackers in use, website hosts need to offer specific cookie consent options to comply with GDPR, like enabling visitors to say yes to analytics cookies but no to advertising ones, for example.

Users should be presented with clear and user-friendly options to accept or reject data processing, such as banners that allow users to opt-in or opt-out of specific cookies individually, like in the image below.

Implied consent

Unlike explicit consent, implied consent involves assuming consent based on a person’s actions or inactions. An example of this might be a user continuing to browse a website after a cookie banner pops up, and ignoring it. These are sometimes referred to as “browsewrap agreements”.

With a marked shift towards privacy-led marketing and regulatory authorities increasingly prohibiting assuming consent from a user not performing an explicit action, it’s recommended to err on the side of caution against implied consent.

Instead, follow informed and explicit consent best practices, following privacy-led and consent-based marketing principles.

General consent

Unlike granular consent, general consent offers limited control over what data users can agree to or reject.

An example of this could be a general online service agreement where users consent to the Terms of Service, without providing necessary details about the privacy policy and how data is being collected, stored, and processed.

General consent was once fairly commonplace, but it’s becoming increasingly discouraged in favor of granular consent. Consent “bundling” is also not allowed under a number of data privacy laws. Best practices involve separating out different kinds of required information, like in the Terms of Service and privacy policy, as well as having a cookie notice and consent banner for informed and explicit consent management.

Conditional consent

This typically follows a ‘this for that’ approach. Conditional consent can look like companies offering something in exchange for a user’s data. For example, a user accessing a whitepaper or webinar under the condition that the company can send them marketing messages. Or a discount code in exchange for a newsletter signup.

For businesses in the European Union, conditional consent can become convoluted as consent must be “freely given” under the GDPR. This blurs the lines with marketing strategies like gated content. It has generally not been frowned upon to make such offers, but what individuals are giving must be equivalent to what they’re getting, otherwise it looks like a bribe for consent, which is definitely frowned on by data protection authorities.

If you’re considering conditional consent-based marketing, using a consent management platform to follow proper protocol is recommended.

Ongoing and dynamic consent

Ongoing consent, otherwise known as dynamic consent, helps ensure that users have the opportunity to actively manage their data and adjust, update, or withdraw their consent at any point.

Unlike the traditional one-time model of consent, sometimes referred to as a “clickwrap agreement”, a dynamic consent approach is based on a few core factors.

  • Continual engagement with users about their preferences.
  • Transparency with clear messaging on what is happening with personal data, especially with process updates or changes.
  • Options for users to update their preferences, such as the frequency or channels by which they receive messages, as well as information about user rights.
  • Preference management tools to offer personalization and encourage zero-party data collection.

Offering dynamic/ongoing consent is a crucial way to build trust with users by improving user experience, and adhering to data privacy laws.

Withdrawable consent

Whether using an opt-in or opt-out consent model, pretty much all data privacy laws require users to be able to withdraw consent at any time, even if their data has been collected and used for some time. Ideally individuals should be able to easily change consent preferences at any time as well, if they don’t want to entirely revoke them. Once the user opts out, data collection and processing must stop as soon as possible, ideally immediately, including processing by third parties working for the main controller.

Here are specific features of withdrawable consent:

  • The right to withdraw consent at any point, even if they previously agreed to it, which also includes changing consent preferences under some laws
  • Accessible, clear, easy to use functionality for users to withdraw, such as opt-out buttons in settings — it’s not compliant to hide this functionality and privacy laws require that withdrawing or declining consent be as easy as giving it
  • Once withdrawn, the organization can no longer use the user’s data for its original purposes and collection of data must cease

The right to withdraw consent is, arguably, one of the most important aspects of data protection. Consider a consent management platform to help manage withdrawal functionality accordingly. Many data privacy laws require companies to maintain proof of consent, which includes user actions over time, like accepting, changing, or later withdrawing it.

Put all of the Usercentrics CMP’s premium features to work for your privacy-led marketing – free for 30 days!

Start free trial

Many of the world’s modern and comprehensive data privacy laws require opt-in consent, among other requirements. While all EU member states are covered by the GDPR, each country has additional consent requirements. The United States is the biggest market where opt-out consent is the norm, though in that country there is not yet a federal law managing privacy requirements, and in the US data privacy is handled state by state.

Consent requirements under the GDPR

When the GDPR came into effect it created a global standard for consent standards in privacy laws. But what, specifically, does the GDPR require around consent? Here are the key requirements.

Key requirements for consent

Follow our free checklist to achieve and maintain your GDPR compliance.

Get started

Consent requirements under the CCPA

The California Consumer Privacy Act (CCPA) and its expansion with the California Privacy Rights Act (CPRA), applies to for-profit organizations that conduct business in California and meet certain criteria.

The CCPA is generally less strict than the GDPR, especially with regards to consent requirements. Still, like the GDPR, failure to adhere to these criteria can result in serious penalties and damage to consumer trust and brand reputation. Here is a high-level checklist of its requirements.

Follow our free checklist to achieve and maintain your CCPA compliance.

Get started

Consent requirements under the LGPD

Another prominent data protection law is Brazil’s Lei Geral de Proteção de Dados (LGPD), which translates to General Data Protection Law in English. The LGPD was influenced heavily by the GDPR, and has actually expanded its coverage beyond the GDPR in some areas. Here are some of the core requirements for consent under the LGPD.

  • Opt-in and explicit
  • Free, informed, and unambiguous
  • Consent must be given in writing for a specified purpose (which includes electronic means)

Learn everything you need to know to achieve and maintain LGPD compliance in Brazil.

Learn more

Navigating different types of consent can be overwhelming, especially if you conduct business globally where customer expectations vary regionally and when technology and regulation frequently changes.

For example, business requirements are catching up to regulatory ones for consent. Due to Digital Markets Act (DMA) requirements on Google, for example, publishers and developers using Google AdSense, Ad Manager, or AdMob now require a Google-certified Consent Management Platform integrated with the latest version of Google Consent Mode if they want to retain access to all features of Google services, like personalization and retargeting, across the EU/EEA and UK. Google has also expanded their EU user consent policy to include Switzerland.

To ensure that you’re conducting business in these regions while complying with legal and business requirements, choose a Google-certified consent management platform (CMP) like Usercentrics CMP.

From obtaining compliant consent and better engaging customers to staying up to date with evolving regulations, a CMP like Usercentrics’ simplifies the process and helps to ensure you can both achieve and maintain privacy compliance while getting the data your company needs, and building trust and engagement with customers.

Boost the performance of your privacy-led marketing activities – try Usercentrics CMP free for 30 days!

Start free trial

Frequently asked questions

Does the GDPR require consent?

Yes, proper consent is necessary to comply with the GDPR if consent is your business’s chosen and required legal basis for data collection and processing for the personal data of EU residents. Consent must be explicit, informed, unambiguous, and freely given.

What’s the difference between informed and explicit consent?

Informed consent centers on the user clearly understanding:

  • what data is being requested
  • how data will be used, including who may have access to it
  • potential risks of processing
  • user rights and how to exercise them, including contact info for the company

Users being informed is a requirement for consent to be considered compliant under all international data privacy laws.

Explicit consent refers to the actual act of consenting, with users taking a specific action, such as clicking an “Accept” button. The user ignoring a consent banner or scrolling past is not an explicit consent-related action and under many laws cannot be construed as such.

To comply with the GDPR, consent must be both informed and explicit.

What is implied consent vs. informed consent?

Implied consent assumes that users are consenting to data collection based on their actions or inactions, such as continuing to browse a website without accepting or rejecting cookies. It is passive, though users may still have to have easy access to information about data collection and use.

Informed consent is more active and aims to ensure that users have a clear understanding of what, how, and why their data is being collected, and what their rights are regarding its use.

Implied consent is increasingly frowned upon by data protection authorities and prohibited under some data privacy laws.

Do consent requirements differ for mobile apps?

Not generally. Privacy laws tend to cover residents of a particular jurisdiction, and data processing for various purposes. If data can be collected from mobile apps and those purposes apply, which is usually the case, then consent requirements also apply. Here’s how to obtain proper consent for your mobile app.

In the past, regulatory compliance has been low in apps markets, but is improving after explicit crackdowns by data protection authorities in various regions.

How do you know if your website or app is compliant with the GDPR, CCPA, or LGPD?

Familiarize yourself with the requirements of relevant regulations for your business and know where your customers or users reside. Consult with qualified legal counsel and/or a privacy expert. Audit your data operations to stay up to date on how you use data and that you’re obtaining valid consent. Regularly check what cookies and other trackers are in use on your website, and stay up to date on new relevant privacy regulations and changes to existing laws.

What are the best consent management platforms to use?

There are many different CMPs out there. If you use Google services, it’s recommended to choose one that’s Google-certified, that supports the Transparency and Consent Framework, and that enables compliance with multiple data privacy regulations, especially with geotargeting functionality.

Here’s a comparison of different consent management platforms to help you make an informed decision.

Understanding and preventing sensitive data exposure
Sep 19, 2024
Sensitive data exposure is a growing concern in the digital age, where personal, business, and classified information can be vulnerable to unauthorized access. Understanding what sensitive data is and how to protect it is crucial for organizations to prevent costly breaches and maintain trust.
Golden Gate Bridge
Sep 19, 2024
In effect since January 1, 2020, the California Consumer Privacy Act (CCPA) was the first US state-level consumer privacy law. It established consumers’ rights, set obligations for businesses, and influenced subsequent privacy regulations in other states.
Utah Consumer Privacy Act
Sep 17, 2024
The UCPA provides rights to consumers and places responsibilities on businesses to protect consumer data and use it compliantly. We explore its key provisions and what they mean for both consumers and companies.