11.3 Consent Management

Consent is one of the most misused concepts in data protection practice. Organisations invoke it constantly, but a surprising proportion of what is called 'consent' dös not actually meet the legal standard. Understanding what valid consent looks like — and what invalidates it — is critical for both practitioners building systems and individuals evaluating the choices they are presented with.

Valid consent under GDPR Art. 7

GDPR Article 7, read alongside Recitals 32, 33, and 42, establishes that valid consent must be:

• Freely given — The person must have a genuine choice. If refusing consent means being denied access to a service they need (or have already paid for), the consent is not free.
• Specific — Consent must be given for a defined, particular purpose. A blanket agreement to "use your data for our purposes" is not specific.
• Informed — The person must understand what they are consenting to: who is collecting the data, what it will be used for, and whether it will be shared.
• Unambiguous — Consent requires a clear affirmative act — ticking a box, clicking a button. Silence, pre-ticked boxes, or inaction cannot constitute consent.
• Withdrawable — Withdrawing consent must be as easy as giving it. If accepting is one click and withdrawing requires navigating through five settings menus, the withdrawal mechanism is not compliant.

What invalidates consent

Several common practices fail the validity test:

Bundled consent — Requiring agreement to multiple distinct purposes in a single action ("accept our terms, privacy policy, and marketing communications") makes it impossible to consent to one thing without consenting to others.

Pre-ticked boxes — CJEU Case C-673/17 (Planet49, 2019) confirmed that pre-ticked checkboxes do not constitute valid consent under GDPR. Consent must be an active choice.

Forced or pay-or-consent models — Conditioning service access on consent to processing unrelated to the service has been ruled invalid by multiple DPAs. The Austrian, French, and Belgian DPAs have each found Facebook's consent wall to be unlawful.

Vague purposes — "To improve your experience" or "for our legitimate business interests" are not specific enough to satisfy the informed and specific requirements.

Consent Management Platforms (CMPs)

CMPs are software systems that present consent choices to users (typically via cookie banners), record consent decisions, and enforce those decisions across the organisation's technology stack. GDPR requires organisations to be able to demonstrate consent was validly obtained — CMPs provide the audit trail.

The IAB Transparency and Consent Framework (TCF) is an industry standard that standardises how CMPs capture and signal consent to advertising technology vendors. It has faced significant legal challenge: the Belgian DPA found in February 2022 that the TCF as implemented violated GDPR on multiple grounds, including failure to obtain valid consent and inadequate security. The case triggered proceedings across multiple EU jurisdictions. The IAB Europe appealed, and enforcement continues to evolve as of 2024.

A practical checklist for organisations

• Record every consent decision: who, when, what was shown, what was chosen.
• Make withdrawal straightforward — as simple as giving consent.
• Refresh consent when purposes change or consent is older than a reasonable period.
• Review your CMP configuration: if you are using a framework like IAB TCF, monitor its compliance status.
• Never pre-tick boxes or design flows that nudge users toward broader consent.

Your takeaway

Consent is a high bar that most organisations are not fully clearing. If your organisation relies heavily on consent as a legal basis, audit your consent mechanisms against the checklist above — and consider whether a different lawful basis (contract, legitimate interest, legal obligation) might be more appropriate and more reliably documented.