Online consent: How can it be made valid in practice?

Online consent cannot be reduced to a binary choice. It relies on the scope of what should be consented to, why it matters specifically to individuals and when, and more broadly, how it is provided.

Far from being a black-or-white assessment, to be valid, consent should be legally offered, meaning in accordance with applicable fairness, transparency and accountability principles under Recital 32 of the EU General Data Protection Regulation, which refers to a "freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her."

Valid consent should be rooted in, or at least aligned with, the reasonable expectations of individuals. This means it neither distorts nor constrains individuals' will to accept or reject optional data processing choices on top of strictly necessary ones.

But how can true consent be enabled in practice in a way that is consistent and tech-enabled for jurisdictions around the world? First, let's look at the current landscape.

What online consent is today

Let's start with the EU perspective: Consent is not only a data protection object under the GDPR but also a privacy matter, as seen in the ePrivacy Directive.

The European Data Protection Board's Guidelines 2/2023 on Technical Scope of Article 5(3) of the ePrivacy Directive focus on "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user" and all techniques that can be used to track people's activity online to provide behavioral advertising services.

Several EU initiatives, such as the April 2024 EDPB opinion on valid consent, European Commission 2023 cookie pledge and the EDPB consultation on pay-or-consent models held 18 Nov. 2024, intend to help frame consent online and determine how to obtain valid consent.

It is difficult for an individual to read, assess or signify agreement freely when using the available consent tools. The sheer volume of related requests and the act of giving consent itself is so cumbersome, between reading applicable provisions, ticking opt-out boxes, and identifying how to change or withdraw it, that informed and free consent does not exist. Online consent today is neither legally valid nor implementable simply because we use far too many services.

In May 2020, the EDPB clarified how consent should be requested and identified points that focus on the "freely given" parameter.

Imbalance of power

Is the service provided to individuals unique or so dominant that there is no real possibility to disagree? If yes, individuals "will have no realistic alternatives to accepting the processing."

Conditionality

Is the agreement separate from any other term? This corresponds to "the situation of bundling consent with acceptance of terms or conditions or tying the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of the contract or service." It is considered highly undesirable.

Granularity

Is the request for agreement specific to a limited set of data processing activities? When a service involves multiple data processing activities, "data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes."

Detriment

Would disagreement have a negative impact on individuals or block benefits at stake? As specified by the EDPB, "examples of detriment are deception, intimidation, coercion or significant negative consequences if a data subject does not consent." It also notes individuals shall have "a free or genuine choice about whether to consent" and not suffer any such significant negative consequences.

In addition to the GDPR and the ePrivacy Directive, the Digital Markets Act also urges gatekeepers, very large online platforms and online platforms at large to adopt good practices. According Recital 37, "when the gatekeeper requests consent, it should proactively present a user-friendly solution to the end user to provide, modify or withdraw consent in an explicit, clear and straightforward manner."

Regarding consent, the DMA builds on the GDPR, whether it is a matter of definition in Article 2(32) or methodology to obtain consent in Recital 37, Article 13(5). But it also lays down practical and almost operational considerations, recognizing consent fatigue should be addressed and consent requests streamlined under Article 5(2), which states "where the consent given for the purposes of the first subparagraph has been refused or withdrawn by the end user, the gatekeeper shall not repeat its request for consent for the same purpose more than once within a period of one year."

The Digital Services Act also identifies GDPR consent requirements as a starting point, specifically "prior to the processing of personal data for targeted advertising" per Recital 68.

The conclusion to draw from the digital package provisions about consent is that, in the EU, the GDPR is the starting point and the applicable legal framework for online content. Additionally, online service providers should proactively uplift current practices to minimize consent fatigue, markedly with targeted advertising.

In April 2024, EU data protection authorities agreed large online platforms should implement pay-or-consent models relating to behavioral advertising in a way that constitutes valid and, in particular, freely given consent. A core takeaway from the EDPB's Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms is "in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee."

In a nutshell, the EDPB observed a third option, beyond consent or paying a subscription or fee, is needed for large online platforms. Since adopting the opinion, the EDPB continues to develop guidelines on consent-or-pay models with a broader scope. This work will shed light on eligible alternative or nonstandard approaches for consent to be given freely.

Beyond the pay-or-consent targeted reflection and the EU DPAs ongoing discussions, a fair question remains around how we freely give online consent today? How do we make online consent valid in practice? In real life, online consentis generally set through general settings or notifications, specific privacy settings such as location, banners like cookie consent management platforms, or ad hoc pop-up choices like privacy checkups.

On a global scale, a lingering debate on valid consent results from user experience considerations. Setting dark patterns or lack of transparent or intelligible information aside, the question to address is: Can humans give valid consent to all the requests coming their way?

In addition to the legal context, there simply is not enough time for people to read all the notifications that pop up for consent to be considered valid. For instance, consent management platforms ask everyone to grant consent when entering a website. They also help data controllers demonstrate they collected explicit agreement to process personal data; they do not empower individuals to consent freely.

Why not?

First, consent is requested at a given time, potentially as a take-it-or-leave-it choice and as a precondition to access the content or service, which forces user choices based on interest or convenience considerations. Second, the mechanisms are essentially a one-time consent, as they do not allow users to share their by-default reasonable expectations and their primary choices are not automatically updated or seamlessly shared as they browse. Third, the tool does not permit qualitative consent or give control to individuals because consent must be provided immediately and as-is.

Finally, consent management platforms do not streamline consent fatigue or reduce the unlimited number of consent requests coming our way. They do not check individual reasonable expectations or inquire about by-default choices before sending requests. Consent is both the entry point and the endpoint. Wouldn't it be fair, though, if everyone's reasonable expectations were considered by default before any consent requests were sent their way?

What online consent should be

To reassess state-of-the-art consent under GDPR Recital 32, a November 2024 article by Carnegie Mellon University professor Lorrie Cranor stresses that, globally, notice and consent does not work as-is and should be given "the legal and technical support it needs."

On the technology front, Cranor acknowledges the significant steps taken in the U.S. to empower individuals in practice, specifically providing them with appropriate tech tools. From the binary approach of "do not track" to California's Global Privacy Control, "which allows users to turn on a setting in their browser (or browser extension) that transmits a GPC signal to automatically opt out of websites selling or sharing their personal information." She writes, "for the first time privacy laws are requiring websites to respect automated privacy signals such as GPC."

The GPC sets a new cornerstone for regulating valid consent, and a crucial landmark case has been set to respect individuals' right to share automated privacy signals and have them automatically complied with. Since the adoption of the GPC and the settlement of the Sephora case in August 2022, such rights factually and amicably entered into force.

California internet users are the first, outside the EU, to enjoy the right to an actionable automated privacy signal tool that gives them real opt-out control. The California Privacy Protection Agency is the DPA leading the charge on this tech-enabled consent framework. Despite being a new DPA, it sets the tone on how individual fundamental rights should be enforced in practice in a tech-enabled world.

On the legal front, the need is clearly identified too and announced by the GPC model. It is all about giving individuals the chance to seamlessly share their reasonable expectations online and switch from consent collection tools, such as consent management platforms, to user-centric privacy choices tools, such as personal data choice management platforms.

Personal data choice management platforms allow users to set their reasonable expectations when they have time, update them when they feel like it and automatically share their by-default preferences regarding privacy, such as by-default cookie, safety, AI or commercial choices in a few clicks.

Going beyond the GPC opt-out controls, this "notice and consent 2.0" empowers everyone to take control over commercial processing and personalization online, as they proactively share automated privacy signals wherever they browse seamlessly.

Also, these tools allow one to reduce or streamline opt-in or consent requests according to their preferences, pick companies they trust, and choose the timeframes during which they would like to be targeted.

Why isn't valid online consent in use?

The tech is there. Legal provisions in California have already made the point that, in a tightly limited timeframe, user-centric automated privacy control practices can be fostered and enforced. Cranor stressed, "we need (internet of things) devices that send and receive standardized privacy signals to well-designed user agents. We need enforceable penalties for data collectors that fail to honor automated signals or manipulate users into consenting to data practices. And, importantly, we need strong baseline privacy regulations."

Conspicuously, valid consent blockers, whatever they are, are not tech ones anymore. As of today, the main blocker to valid consent appears to be regulatory latency: the time it takes for regulators to adapt regulation to state-of-the-art tech practices from consent management platforms to personal data choices management platforms.

One year ago, the European Commission's Directorate‑General for Communications Networks, Content and Technology recommended exploring signals from personal data choice management platforms under Draft Principle H of the cookie pledge. Indeed, for consent to be valid in practice, what most innovative and accountable companies need is support in showcasing the kinds of user-centric personal data choices management platforms have that could help them serve trusted personalized ads and services. In 2024 the Digital Advertising Alliance started exploring cross-service signal-based mechanisms that are similar to those designed in the EU and are subject to patent application.

So, let's move the discussion forward diligently and determine what a consistent tech-enabled consent mechanism should look like in the U.S., EU and globally.

Marie-Charlotte Bouquet is a data protection and innovation advisor, principal and research lead at ID Side.