The General Data Protection Regulation (AVG) requires that personal data may only be processed if there is a legal basis for doing so. One of these is consent of the data subject (Article 6(1)(a) AVG).
Consent , according to the AVG, is: a freely given, specific, informed and unambiguous expression of will whereby the data subject consents, by means of a statement or active action, to the processing of his or her personal data for one or more specified purposes (Art. 4 under 11 AVG, EDPB Guidelines 05/2020).
Voluntary: The person truly chooses himself or herself, without pressure or negative consequences. Consent is usually not valid in situations of dependency, such as between employer and employee or government and citizen. So-called "dark patterns" - manipulative design choices in digital interfaces - can also prevent valid consent.
Specific: Data subject must give consent for each purpose. Bundling or vague purposes are insufficient.
Informed: Good advance information is mandatory. The data subject knows who is processing the data, for what purposes and what types of data are involved. Only open, clear language will suffice.
Unambiguous: Consent always requires an active action: checking, clicking or configuring yourself. Pre-ticked boxes, silence or inactivity do not mean valid consent(Planet49 judgment, C-673/17).
Note: The controller bears the burden of proof to demonstrate that all conditions have been met (accountability, Art. 7(1) AVG).
Consent should be as easy to withdraw as it is to give. If a person decides not to give or withdraw consent, there should be no adverse consequences, such as excluded access or payment for regular services.
For children under 16, consent is only valid if granted by a parent or legal representative (Art. 8 AVG). This applies especially to information society services, but the AVG-wide child protection requires caution more broadly.
For special categories of personal data - for example, medical, race-related or biometric data - explicit consent is required (Art. 9 AVG, par. 3.1 UAVG). Note the current case law on biometrics and international transfers, which strictly tests whether actual explanations and risks have been clearly communicated to the data subject.
Cookies & tracking: Only active and free choice applies. A cookie wall (consent required for access) is not allowed unless there are real alternatives.
Collection of ID proofs: Should never default: actively request, explain and limit processing.
Social media and AI: New EDPB guidelines prohibit the creation of "misleading" consent screens ("dark patterns"), including in AI systems, profiling and personalized ads.
Recent: Courts apply a strict interpretation of consent and closely scrutinize disclosure and actual freedom of choice, see e.g. rulings on tracking cookies, medical data and child/consent (Rb. Noord-Nederland, ECLI:NL:RBNNE:2025:187; Rb. Amsterdam, ECLI:NL:RBAMS:2025:885).
The consent basis is not always the best or most practical choice. Often other AVG bases, such as performance of a contract or legal obligation, are more stable and less risky. Every processing basis requires a proportionality and subsidiarity test: is this the least intrusive way and is the processing reasonably proportionate to the purpose?
Provide concise, transparent and findable consent forms.
Document the entire consent process, from information to revocation.
Monitor the effectiveness of the digital environment: use privacy by design and avoid nudges and dark patterns.
Periodically review the consent file: case law and EDPB guidelines evolve rapidly.
Organizations that process special categories of personal data, such as health data, must be able to prove express consent, see Art. 9 AVG and par. 3.1 UAVG. For more information on the processing of health data, see the book Privacy in Healthcare, 2.4.1, available via the Data&Privacyweb Pro and Expert membership and in our bookshop.
Cookie tracking on website (Planet49 ruling)
Collection and retention of copies of identity documents (Orange România)
Express consent in the case of special data or criminal data (GC/CNIL)
No consent required, other basis
AP alerts political parties to new rules on online political advertising
News press releaseAP concerned about AI training LinkedIn and calls on users to adjust settings
News press releaseFour best practices for privacy by design and privacy by default
BlogNew Data Regulation enters into force: major implications for businesses and digital service providers
News press releaseDoes pseudonymizing data exempt my company from its obligations under the AVG?
BlogAP concerned about AI training LinkedIn and calls on users to adjust settings
News press releaseNew Data Regulation enters into force: major implications for businesses and digital service providers
News press releaseFour best practices for privacy by design and privacy by default
Blog
