Consent Form Patterns
Article 7 of the GDPR sets the conditions for valid consent. Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data. Consent must be freely given, specific, informed and unambiguous as defined in Article 4(11).
Relying on invalid consent exposes the controller to fines of up to EUR 20,000,000 or 4% of worldwide annual turnover for unlawful processing (Art. 83(5)(a)).
Consent Patterns by Context
Granular Service Consent
Collecting consent for multiple processing purposes as part of a service registration or account setup.
Requirements
Consent must be granular -- separate consent for each distinct purpose (Recital 43). The data subject must be able to consent to some purposes and refuse others. Consent cannot be bundled as a condition of service where processing is not necessary for that service (Art. 7(4)). Each consent request must clearly state the purpose, the data involved, and any third parties who will receive the data.
Example Elements
Separate checkboxes (unchecked by default) for: (1) processing for service delivery, (2) analytics and service improvement, (3) personalised recommendations, (4) sharing with named third parties. Each checkbox accompanied by a concise explanation of what the processing involves and a link to the full privacy notice.
Common Pitfalls
Pre-ticked boxes are not valid consent (Planet49, C-673/17). Bundled consent ('agree to all') with no option to select individually is not freely given. Consent tied to service access where processing is not necessary for the service violates Article 7(4). Vague purposes like 'improving your experience' are not sufficiently specific.
Cookie Consent
Obtaining consent for non-essential cookies and tracking technologies on websites and applications, as required by the ePrivacy Directive (2002/58/EC, Art. 5(3)) and the GDPR.
Requirements
Consent must be obtained before placing non-essential cookies (ePrivacy Directive Art. 5(3)). The consent mechanism must provide clear information about each category of cookies and their purposes. Users must be able to accept or refuse each category. Strictly necessary cookies (e.g., session management, load balancing) do not require consent. Consent must be as easy to withdraw as to give -- a 'reject all' option must be as accessible as 'accept all' (EDPB Guidelines 05/2020).
Example Elements
A cookie banner with: (1) 'Accept All' and 'Reject All' buttons of equal prominence, (2) a 'Manage Preferences' option opening a panel with toggle switches for each cookie category (necessary, functional, analytics, marketing), (3) a description of each category, (4) a list of specific cookies in each category with provider, purpose, and expiry. No cookies placed until affirmative action.
Common Pitfalls
Cookie walls that deny access to the site unless all cookies are accepted are generally not compliant (EDPB Guidelines 05/2020). Scrolling or continued browsing does not constitute consent. 'Reject All' hidden behind multiple clicks while 'Accept All' is prominent is not compliant. Not providing granular choices per cookie category is insufficient.
Marketing Consent
Obtaining consent for direct marketing communications via email, SMS, telephone, or postal mail.
Requirements
For electronic marketing (email, SMS), consent must comply with both the GDPR and the ePrivacy Directive (Art. 13). Consent must specify the channels, the type of content, and any third parties who will send marketing. Soft opt-in (existing customer, similar products, easy opt-out) may be available under some Member State implementations of the ePrivacy Directive, but does not override GDPR consent requirements where consent is the lawful basis. Records must demonstrate who consented, when, how, and what they were told (Art. 7(1)).
Example Elements
Separate checkboxes for: (1) email marketing from the controller, (2) SMS marketing, (3) marketing from named partner organisations. Each with a description of content type (e.g., 'product updates and promotional offers'). Unsubscribe link in every communication. Consent withdrawal processed within a reasonable timeframe (typically 48 hours).
Common Pitfalls
Single checkbox for all marketing channels does not provide channel-specific consent. Failing to include an easy unsubscribe mechanism in every message. Continuing to send marketing after consent withdrawal. Not maintaining records of consent that would satisfy a supervisory authority inquiry.
Research Consent
Obtaining consent for processing personal data for scientific research, clinical trials, or academic studies.
Requirements
Consent for research processing must be specific to the research purpose where possible (Recital 33). Where the specific purpose cannot be fully identified at the time of data collection, the data subject may consent to certain areas of research or parts of research projects, provided this is in keeping with recognised ethical standards. For clinical trials, additional requirements under Regulation (EU) No 536/2014 apply. For special category data in research, explicit consent under Article 9(2)(a) is required unless a Member State law provides an exemption (Art. 9(2)(j)).
Example Elements
Consent form containing: (1) plain-language description of the research purpose, (2) what data will be collected and how, (3) how long data will be retained, (4) whether data will be anonymised or pseudonymised, (5) who will have access, (6) the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal, (7) contact details of the principal investigator and DPO, (8) whether results may be published and in what form. Signature or electronic equivalent.
Common Pitfalls
Overly broad consent that covers any future research without sufficient description of the area. Failing to address whether and when data will be anonymised. Not informing participants of the right to withdraw without detriment. Using consent as the basis when another lawful basis (e.g., public interest research under Art. 9(2)(j)) may be more appropriate and sustainable.
Valid vs Invalid Consent
| Criterion | Valid Consent | Invalid Consent |
|---|---|---|
| Affirmative action | Clear affirmative act: ticking an unchecked box, clicking 'I agree', signing a form, choosing technical settings, or making an oral statement | Pre-ticked boxes, silence, inactivity, scrolling a page, or merely continuing to use a service |
| Freely given | Genuine choice with no detriment for refusing. Service access not conditional on consent for non-essential processing | Consent bundled as condition of service (Art. 7(4)). 'Take it or leave it' with no alternative. Power imbalance (e.g., employer-employee) without genuine choice |
| Specific | Separate consent for each distinct purpose. Clear identification of the specific processing activity | Blanket consent for vague or multiple purposes. 'I agree to the processing of my data' without specifying what processing or for what purpose |
| Informed | Identity of controller, each purpose, type of data, right to withdraw, automated decision-making (if applicable), international transfer risks all communicated before consent | Information buried in lengthy terms and conditions. Material information omitted. Purpose described vaguely as 'service improvement' |
| Unambiguous | Clear statement or positive action that leaves no doubt about the data subject's intention | Ambiguous wording that could be interpreted as consent to different things. Double negatives. Complex language |
| Withdrawal | As easy to withdraw as to give (Art. 7(3)). Clear instructions on how to withdraw. Withdrawal processed promptly | Withdrawal requires calling a phone line during business hours while consent was given online with one click. No withdrawal mechanism provided |
| Documentation | Controller can demonstrate who consented, when, what they were told, and how they consented (Art. 7(1)) | No records of consent. Unable to show what information was provided at the time of consent |
Key Case Law
Planet49 (C-673/17, CJEU 2019): Pre-ticked checkboxes do not constitute valid consent. Active consent is required for cookies and tracking technologies.
Orange Romania (C-61/19, CJEU 2020): Consent is not freely given where the contract contains a pre-ticked box and the data subject must actively untick it to refuse. The burden of proof of valid consent rests with the controller.
Disclaimer
This page provides general information about GDPR consent requirements and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.