The basics of consent: Consent types and definitions under the GDPR, CCPA, and CPRA.

Batja Huisman
Batja Huisman
Sep 5, 2022
min read
The basics of consent: Consent types and definitions under the GDPR, CCPA, and CPRA.

Consent is a vital concept for all companies dealing with individuals’ data collection, whether for a social media platform, a website, or a mobile application. It is an integral part of most modern privacy legislation and has taken on a new urgency, with companies being fined for consent violations or lack of proper data protection.

This article, explores the different types of consent and what constitutes consent under privacy regulations, such as the GDPR, the CCPA, and the CPRA.

Types of consent

There are a lot of different definitions and phrases when it comes to consent. Here are some of the most common used explained:

Implied consent

Implied consent is when a user hasn't explicitly agreed to the processing of their personal data, but consent is implicitly granted by their actions. This type of permission is often used in marketing, where companies will collect information about users through their online browsing habits and then use it for targeted advertising purposes.

This is done without the individual’s explicit consent. In this situation, an opt-out is necessary for consumers to unsubscribe from using their personal data.

Explicit consent

Explicit consent means that a person is given the option to authorize obtaining, using, or selling of their data. This means that the individual knows they are being asked to use or share their personal information, and they agree to it. Companies must make sure they disclose the collected data and for what purpose it is being collected.

Explicit consent is usually done verbally or in writing.

Active consent

Active consent is a form of explicit consent. It is the process of getting an individual’s explicit agreement to use cookies on their browser through active behaviors like clicking a button or checking a box. Data subjects are fully informed about the purpose of the cookies they agree to.

Passive consent

Passive consent arises when users do not have the opportunity to actively choose whether to accept cookies. Data users give permission without clicking a button or checking a box. Some websites use passive consent and collect it through things like banners. Continued use of the site shows that you consent to your data being collected and used.

Typically, passive consent is seen as a type of implied consent.

Opt-out consent

When users are presented with the opt-out consent banner, their consent has been given by not declining it. If consent is not evidently refused, then consent is given. Opting out is done in writing form. In this model, an organization will provide a pop-up, banner web page, or another relevant interface through which users can indicate that they wish to opt-out.

The opt-out consent model has become a popular form of requesting permission to use customers' personal data for other purposes, such as targeted advertising. This is because individuals have to take action to avoid having their data collected, used, sold, or disclosed.

Opt-in consent

This requires data controllers to obtain explicit consent from data subjects by opting in. By default, the user is opted-out of tracking and data processing unless they actively consent.

An opt-in banner notifies users about the cookies being used and gives them options to either reject or give their consent.

Informed consent

Businesses ensure that they properly inform the users of all possible outcomes and get their consent before proceeding. The goal of informed consent is to let the individual know all there is to know about a specific situation and make a decision based on that information.

Elements of consent Under the GDPR

The GDPR requires consent to be opt-in. The GDPR’s Article 4 defines consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Let's go over some key points to better understand the definition.

Consent should be freely given

This means you must not deceive your users by getting or expecting them to provide consent in return for something. Users must be able to decline consent.

Consent should be specific

Ensure to be as transparent as possible about what you exactly intend to do with users’ data, giving them a chance to authorize each activity.

Consent should be informed

It's important to inform data users about what they agree to and how the data would be used. The users must also be made aware of their right to withdraw consent whensoever. Also, withdrawal has to be just as easy as giving consent.

Consent should be unambiguous

There must be absolutely no doubt about if individuals have authorized the processing or sharing of their information.

Consent must be given via a clear affirmative action

Instead of relying on assumptions, ask for users’ explicit consent before proceeding with any data processing activities.

The GDPR requires users to be properly informed and actively give their consent before data processing. Data collectors need deliberate and active consent from individuals before distributing or sharing their collected data.

Elements of consent Under the CCPA

The CCPA does not specifically define “consent.”

Unlike the GDPR, active consent from users isn’t necessary under the CCPA. Data collected can be used instantly without having to confirm with data subjects. They, however, have the right to make a demand to opt out, which businesses are obliged to comply with.

The CCPA uses implied consent by default. In simple terms, you can use the data of your customers until they opt out. One of the exceptions to this rule is when a company intends to sell the information; in this case, businesses need to provide a clear and easy-to-find “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. 

Another exception is when a user is under 16 years old. Businesses will need active consent before using their data. By default, minors are opted out of allowing tracking and processing of their personal information. Users under 16 will have to opt-in for their consent to be valid. If they are aged 13 to 16, refrain from using their data unless they give consent that meets CCPA standards. If they are under 13 years old, then under no circumstance should you collect, use, or disclose their personal information without explicit consent from their parent/guardian.

Elements of consent Under the CPRA

CPRA’s definition of “consent” closely aligns with that of the EU’s GDPR. It defines “consent” as “ any freely given, specific, informed, and unambiguous indication of the consumer’s wishes ... including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.”

Just like the CCPA, businesses will use the opt-out cookie consent framework when the CPRA comes into effect on January 1, 2023. Data controllers can use cookies on their website or app without prior consent as long as the user has the right to opt out. 

However, if it pertains to people under the age of 16, then organizations must obtain informed consent from them before any personal information belonging to them can be collected and used.

Additionally, consumers have the right to opt-out of the sale or sharing of personal information, including opting out of cross-context behavioral advertising and limiting the data used or disclosed. In this context, the term "sharing" refers to the process of sharing, renting, releasing, disclosing, disseminating, transferring, or otherwise communicating -orally, in writing, electronically, or otherwise- consumer data to third parties for cross-context behavioral advertising. Therefore companies should ensure compliance by providing a clear “Do Not Sell or Share” option on their website.

The CPRA calls attention to the need for enhanced consent standards on every website and app. 

Setting Up Your Consent management

Mine PrivacyOps has everything you will need to comply with privacy regulations, minimize legal risks, and protect your users' data privacy. The platform helps you easily set up and streamline your users' consent management.  Cover your bases with a full privacy suite, including Consent Management, and reduce manual and repetitive work by legal and engineering teams.