Consent is considered valid after the following conditions are met:
Consent must be freely given:
The element of “freely given” implies that natural choice and control lie with the data subject. For consent to be considered freely given, data subjects must be able to withdraw or refuse their consent at any time without detriment. Consent cannot be bundled up as a non-negotiable part of terms and conditions. Furthermore, organizations should not place any conditions on consent before a data subject can access a service.
Consent must be Specific:
The element of “specific” implies granularity; organizations must obtain separate and explicit consent for particular data processing purposes. If data collection has multiple purposes, the organization must explain each purpose separately. Consequently, the data subject must provide consent for each purpose separately as well.
Consent must be Informed:
The element of “informed” implies that data subjects have all relevant information that would enable them to make an informed choice. In particular, organizations must inform data subjects about the potential risks and consequences of granting or denying consent.
Consent must be Unambiguous:
The element of “unambiguous” refers to organizations’ obligation to obtain data subject’s consent explicitly and clearly, and avoid the use of any dark patterns to obtain data subjects’ consent.