In the context of privacy, consent refers to when a consumer knowingly gives a company permission to process their personal data. Cookie banners, often a pop-up asking you to ‘Accept’ or ‘Reject’ tracking, is one of the most common examples of consent management.

The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have different approaches to the concept of consent.

The GDPR was foundational in developing the modern data consent framework. Laying out clear requirements for consent in Article 4, the GDPR states consent must be “freely given, specific, informed, and unambiguous.”

GDPR Article 7 goes on to outline four conditions for valid consent.

  • There must be clear documentation that a user provided consent.
  • When requesting consent, the process and language must be straightword, easy to understand, and accessible. A consent management process that’s difficult or confusing invalidates consent.
  • A consumer may withdraw consent at any point and the process for doing so must be easy.
  • Consent may not be tied to fulfilling a contract, unless data processing is necessary for completing specific contractual clauses.

Obtaining valid consent is taken very seriously under the GDPR, with some of the largest GDPR fines to date being issued due to problems in a company’s consent management process.

Under the CCPA, sites may place cookies without first obtaining consent. However, users must be able to opt out of cookie tracking at any point. This opt-out consent regime is often seen in the form of a “Do not sell my information” link in a website’s footer menu.

Though the CCPA and CPRA don’t require cookie consent, many organizations under these laws still use cookie banners to minimize risk from third-party advertising.