top of page

User Consent in GDPR and CCPA

Updated: Mar 16


Consent is a crucial part of any data privacy legislation. This factor came into prominence after the onset of GDPR.

The GDPR refers the following conditions for a valid consent:

  • Consent needs to be freely given.

  • Consent needs to be specific, per purpose.

  • Consent needs to be informed.

  • Consent needs to be an unambiguous indication.

  • Consent is an act: it needs to be given by a statement or by a clear act.

  • Consent needs to be distinguishable from other matters.

  • The request for consent needs to be in clear and plain language, intelligible and easily accessible

The CCPA doesn’t require active, advance consent. You can collect and use the data right away without any confirmation from the person. However, they do have the right to demand you to stop using the data in certain ways and you must follow this demand. General Data Protection Regulation (GDPR)

The GDPR is the EU’s new legal framework for privacy and personal data protection. It catches up with the digital reality, adapts to a global data world, creates a common framework for all organizations and essentially puts back the control over personal data in the hands of people.

GDPR Article 7 sums up the essential conditions regarding consent (to be valid):

  • Consent needs to be freely given.

  • Consent needs to be specific, per purpose.

  • Consent needs to be informed.

  • Consent needs to be an unambiguous indication.

  • Consent is an act: it needs to be given by a statement or by a clear act.

  • Consent needs to be distinguishable from other matters.

  • The request for consent needs to be in clear and plain language, intelligible and easily accessible

Freely Given Consent

The element of detriment first needs to be seen in the context of GDPR Recital 42, which doesn’t only mention the duty of the controller to be able to demonstrate that consent has been given (one of those additional duties if consent is the chosen legal basis for data processing) but, among others, also states at the end that “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.

In other words: as is stipulated in the first paragraph of GDPR Article 7 on the conditions for consent, it is up to the controller to demonstrate that the data subjected has consented AND, on top of that, not allowing refusal or withdrawal of consent means no freely given consent.

The WP29 guidelines also mention deception, intimidation, coercion or significant negative consequences as examples of detriment.

Valid consent

On top of being legitimate the purpose of processing needs to be specific. This certainly touches upon elements we mentioned in the scope of freely given consent. Just think about the notion of granularity and how, if the processing purpose is not specific enough, the data subject can consent to purposes he or she might not have consented to if the purpose(s) were specific.

GDPR Article 6 on the lawfulness of processing personal data emphasizes the fact that processing can only be lawful, in case consent is chosen as a lawful basis, if the consent relates to one or more specific purposes.

This also means that, when various data processing operations serve the exact same purpose consent may be given to these various operations the WP29 emphasizes, referring to Article 5 which also states that personal data have to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes and to GDPR Recital 32 which is even clearer about this: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”.

There are two exceptions with regards to purpose limitation: 1) in the scope of where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent (GDPR Article 6, paragraph 4) which doesn’t matter in the context of our article as we’re covering consent and 2) in the scope of personal data processing for archiving, scientific, historical or statistical purposes (GDPR Article 89). We cover these separately in our article on the principles regarding the processing of personal data.

Informed Consent

If consent needs to be freely given, relating to a specific purpose and in line with all the other elements of consent, then it’s relatively easy to see that the data subject must be informed in a clear and transparent way before consenting to anything at all.

GDPR Recital 42 points to the requirement for the data controller to demonstrate that the data subject has given consent. Moreover, safeguards must ensure that the data subject is clearly aware of the fact that consent is given and to what extent it is given. This is particularly mentioned in the ‘context of a written declaration on another matter’ as is also stated in GDPR Article 7.

However, the fact that the declaration of consent should be pre-formulated by the data controller in an intelligible and easily accessible form, using clear and plain language (and that it should not contain unfair terms) is recognized as a controller duty. And that comes with specific information requirements that at the very least should be present and should be communicated.

This information must be provided when the personal data are obtained and should, among others, at least mention:

  • Identity and contact details of controller or controller representative.

  • When applicable, contact details of the DPO (Data Protection Officer).

  • Legal basis for processing AND PURPOSES of processing.

  • Recipients or types of recipients of the personal data.

  • Duration of storage of personal data or how that duration is determined.

  • Notification regarding the right to access, rectification, erasure, restriction of processing, objection to processing and data portability.

  • IF consent is the legal ground the fact that there is a right to withdraw it at any time, including the fact that when there is a withdrawal of consent this doesn’t impact the lawfulness of processing prior to it.

  • The right to lodge a complaint.

  • And more, which you can check out in that GDPR Article 13.

California Consumer Privacy Act (CCPA)

The CCPA is a state consumer privacy law which is very similar to that of GDPR but has lot of operational dissimilarities with GDPR.