Specific, informed & unambiguous consent
Consent must be specific to the operation (purpose specification guards against function creep), informed (language the average person understands, not legal jargon), and unambiguous (a clear affirmative act - pre-ticked boxes and silence never count, confirmed in Planet 49). Consent is not opt-out. Multiple controllers relying on the consent must all be named (processors need not be). Controllers must keep a record of consent. For children, Article 8 sets a default age of 16, which member states may lower to no less than 13.
Specific: consent ties to the particular operation; if processing changes, new consent may be needed. Safeguards: purpose specification against function creep, granularity, and clear separation of consent information. Informed: minimum information includes the identity of the controller and the purpose of each operation, plus data types, the right to withdraw, automated decision-making and transfer risks. Unambiguous: a clear affirmative act.
Silence or pre-ticked boxes do not constitute consent (Recital 32), as confirmed by the ECJ in Planet 49. That is opt-out, not consent - the subject merely declined to act. An actively ticked box most likely is valid consent.
| Point | Rule |
|---|---|
| Default age | 16 years old |
| Floor for member-state derogation | No lower than 13 |
| Example - United Kingdom | Set at 13 |
| Under-age child | Lawful only if consent given or authorised by the holder of parental responsibility |
| Verification duty | Controller must make reasonable efforts to verify parental consent |
- Multiple controllers relying on a consent must all be named; processors need not be named
- Controllers must keep a record of consent (the demonstrate obligation), kept only as long as strictly necessary
- No fixed expiry, but the EDPB recommends refreshing consent regularly (ICO suggests ~every two years)
- Consent obtained through duress or coercion is invalid