Chapter 14: The GDPR and International Privacy Issues

Consent Under the GDPR

GDPR consent must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes, expressed by statement or clear affirmative action. The business must be able to demonstrate consent was obtained.

Consent is foundational and more detailed than U.S. practitioners may expect: it must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes, by statement or clear affirmative action.

For consent to be informed, the business must provide: the controller's identity
The purpose of processing for which consent is sought
The types of data collected
Information about the right to withdraw consent
Information about automated processing
Risks of transfers outside the EU

Burden of proof

Businesses are responsible for being able to demonstrate that consent was obtained and that the data subject had sufficient information to make it informed. Silence, pre-ticked boxes, or inactivity do not meet the clear affirmative action standard.

Key terms - quick answers

What is “Consent”?

A freely given, specific, informed, and unambiguous indication of the data subject's wishes, given by statement or clear affirmative action.

What is “Explicit consent”?

A heightened form of consent required to process sensitive personal data unless an exception applies.

← Controller, Processor, and Data Subject Data Protection Authorities and Data Protection Officers →