Consent — under GDPR Article 7 and Recital 32, consent must be:
- Freely given — no penalty for declining.
- Specific — to a defined purpose, not "we may use your data for various things."
- Informed — the user knows what they're agreeing to.
- Unambiguous — clear affirmative action, not silence or pre-checked boxes.
Practical implications for cookie banners:
- "By using this site you agree" — invalid (not affirmative action).
- Pre-checked toggles for analytics/marketing — invalid (not unambiguous).
- A single "Accept" button with no "Reject" — invalid in most EU jurisdictions (Reject must be as easy as Accept).
- Continuing to browse → consent — invalid (not specific or affirmative).
Consent must also be withdrawable as easily as it was given. Hide the "withdraw consent" button five clicks deep and you've broken Article 7(3).
See also: GDPR, Lawful basis.