For United States companies that do business in the European Union, it may seem counterintuitive that of the six possible legal justifications for processing personal data under the General Data Protection Regulation (GDPR), consent is the last justification a EU company wants to rely on. But unlike the U.S. practice of passive notice and consent, GDPR sets a much higher standard for valid consent that makes obtaining and maintaining it from its users more difficult than the U.S. legal framework.
GDPR, which is based on a fundamental right of fairness in data processing, requires much more than a U.S. approach to data privacy based on principles of consumer protection and full disclosure. This distinction is clearest when looking at GDPR’s requirements when companies wish to process personal data on the basis of the user’s consent. Article 7 of GDPR sets out specific conditions for consent, and GDPR’s explanatory recitals imply even more requirements. The European Data Protection Board (EDPB), formerly known as the Article 29 Working Party, expounded upon the GDPR’s explanations. These sources tell us that for consent to be considered valid under GDPR it must be freely given, specific, unambiguous, and informed.
