In the context of privacy, consent refers to when a consumer knowingly gives a company permission to process their personal data. Cookie banners, often a pop-up asking you to ‘Accept’ or ‘Reject’ tracking, is one of the most common examples of consent management.
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have different approaches to the concept of consent.
The GDPR was foundational in developing the modern data consent framework. Laying out clear requirements for consent in Article 4, the GDPR states consent must be “freely given, specific, informed, and unambiguous.”
GDPR Article 7 goes on to outline four conditions for valid consent.
Obtaining valid consent is taken very seriously under the GDPR, with some of the largest GDPR fines to date being issued due to problems in a company’s consent management process.
Under the CCPA, sites may place cookies without first obtaining consent. However, users must be able to opt out of cookie tracking at any point. This opt-out consent regime is often seen in the form of a “Do not sell my information” link in a website’s footer menu.
Though the CCPA and CPRA don’t require cookie consent, many organizations under these laws still use cookie banners to minimize risk from third-party advertising.