Article by Tsaaro

7 min read


What is consent and types of consent?

If a company wants to collect/process the personal data of any individual, there are certain conditions where such an activity would be considered lawful. GDPR provides six legal bases for the processing of personal data- Contract, legal obligations, vital interests of the data subject, public interest, legitimate interest, and consent of the data subject.

Consent is a complicated part of the GDPR as it is not easy to ensure the validity of consent in practice due to the scope and nature. While GDPR provides control in the hands of the users when it comes to their rights over their private data, Consent goes one more step and provides a stronger hold.

Consent could be implied or expressed. Implied consent essentially means that there exists probable reason to believe that the data subject will provide their consent when asked for it. E.g., a business would assume that a regular customer has consented to receive emails from them. Expressed consent refers to a genuine choice made by the data subject after understanding the process and its implications and consequences. While many various privacy laws recognise both types of consent, GDPR only considers expressed consent. Explicit for sensitive personal data

Essential conditions regarding consent?

GDPR does not recognise implied consent as valid.

Article 7 of the GDPR defines consent as “any freely given, specific, informed and unambiguous […] clear affirmative action

Hence, as per GDPR, there are five elements of consent, namely-

  1. Freely given: consent needs to be voluntarily provided without any pressure or any repercussions of refusal. This implies a genuine choice by the data subject.
  2. Specific: The consent should be clearly defined in clear terms regarding the purpose of processing. 
  3. Informed: The end-user should be provided with complete information regarding the processing activities they are consenting for. The data subject must be informed about the controller’s identity, the type of data collected and processed, the purpose of processing, their rights to withdraw consent, possible risks and consequences etc. 
  4. Unambiguous: The question asked must be in clear and straightforward language in a concise form. Consent cannot be implied. 
  5. Clear affirmative action: Providing consent is an act. It needs to be given in the form of a clear statement.

Consent for children

Children’s consent is a particular case, as there is an additional consent/ authorisation requirement from parents/guardians for children under the age of 16. However, if a service is not explicitly offered to children, it is exempted from this rule. This does not apply to services provided to both children and adults.

Consent Management

When we talk about consent, we also need to talk about consent management. Consent has a lifecycle- it starts from the collection of data and continues throughout the entire duration of the data collection while also providing an option to withdraw said consent. A controller should ensure the maintenance and implementation of a comprehensive consent management system that covers the entire consent lifecycle in compliance with GDPR.

Things to keep in mind

It is essential to implement the five critical elements in consent every time you ask for consent from data subjects.

  • Do not use pre-ticked boxes as they are not considered valid expressed consent.
  • Provide complete information regarding the use of collected data in your privacy policy
  • Consider including a “double opt-in.” 
  • Include an unsubscribe option to withdraw consent easily.
  • Do not try to trick data subjects into consenting, and do not withdraw services in case they choose not to consent.
  • Consent should not be hidden in the privacy policy or terms and conditions; it should be collected in a way distinguishable from other matters.
  • The controller’s identity and purposes of processing shall be informed to the end-user in plain and straightforward language.
  • Silence or inactivity shall not be construed as consent.


While consent is one of the best-known and understood legal grounds for data collection, it is not always the best and most appropriate option. 

Data privacy professionals advise controllers to avoid depending on consent as a sole legal basis for processing personal data. As such, consent can be withdrawn, and end-users can also request to have all their data removed. Further, consent is only one of the six legal grounds that GDPR provides for. 

Knowing when to ask for consent is the key. For example, when you’re processing data which would have minimal impact on individuals but provide benefits to your business and others, then you can use legitimate interests as a legal base, but when you are tracking cookies or sharing personal data with other companies for commercial purposes then asking for consent is the right way to go. 


Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  GRC (for governance, risk, and compliance) is an organizational strategy for managing governance, risk management, and compliance with industry …

Shubham Bansal

Introduction A majority of the organizations across the globe use the cloud platforms for various purposes. A large portion of …

Shubham Bansal

INTRODUCTION:  The phrase “data is the new oil” is attributed to British mathematician Clive Humby, who purportedly coined it in …

Shubham Bansal

Today, technology continues to evolve, with companies all over the globe required to adapt to the constant evolution. It is …

Shubham Bansal

INTRODUCTION:  Data governance is an instrument for determining who within an organization is responsible for overseeing data assets and establishing …

Recent Comments


    Would you like to read regular updates from Tsaaro.
    Subscribe to our newsletter

    Our Latest Blogs

    Read what the latest hapennings in the cyber world are and learn what the
    experts have to say about them