Consent is one of the legal basis for processing personal data under article 6 GDPR. The consideration of what would be the appropriate lawful ground for the envisaged processing activity has to be a decision by the controller.
Having said that, against general perception, consent must not be seen as the best or only legal ground on which to legitimise a processing operation. Certainly, where valid consent a difficult to obtain, they are other alternatives in terms of lawful grounds that could be considered and used.
The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 GDPR and specified further in recital 32 thereof. In a nutshell, the controller must be able to demonstrate that the data subject has consented according to certain basic requirements and ensure that consent is freely given, specific, informed and unambiguous.
Freely given consent
In order to obtain freely given consent, it must be given on a voluntary basis and provide a real choice to the data subject. In those cases where there is no real choice and the data subject feels compelled to consent or otherwise endure negative consequences, consent will not be considered as valid under the GDPR.
Example: there is a natural imbalance of power in the employment context which makes the EDPB deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given, nor without negative consequences.
Furthermore, controllers must avoid “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent, where the processing is not needed for the performance of a contract or a service.
For consent to be specific, the data subject must at least be notified about relevant information on the processing purpose as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent at any time. The withdrawal must be as easy as giving consent.
Furthermore, there must be granularity in consent requests, particularly in those cases where the controller pursues various purposes of processing. Separate opt-in and information for each purpose must be provided to allow users to give their specific consent for such purposes.
Providing information to data subjects prior to obtaining their consent is not only essential in complying with transparency principle, but also to enable individual making informed decisions, understanding what they are agreeing to, and the possibility of exercising their rights.
Even though GDPR does not prescribe form or shape in which information must be provided, controllers must ensure that they use clear and plain language in all cases, avoiding long policies full of legal text. Moreover, layered and granular information is the appropriate approach to take in order to fulfill this requirement. You may access the transparency guidelines adopted by the EDPB.
Finally, consent must also be unambiguous, which means that it requires either a statement or a clear affirmative act. Although there is no form requirement on how to obtain consent, written consent is the recommended approach to demonstrate compliance with the GDPR in line with the accountability principle. Indeed pre-ticked boxes, silence or inactivity should not constitute valid consent.
The EDPB has endorsed guidelines (link here) that were adopted by the Article 29 Working Party specifically on consent and which you may access to gain further insight and information in order to ensure that when relying in the lawful ground of consent, all the requirements set out by the GDPR are ticked.