Personal Information in Data Privacy
Learn what personal information is, why it's protected, and the different ways countries around the world define it.
A Guide to User Consent
Compliance sucks.
We make it simple.
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
Data protection laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) mandate that organizations obtain explicit, informed consent from users before collecting and processing their personal data. This includes data collected using HTTP cookies. But what is user consent, and how do you obtain it? We’ll cover everything you need to know below!
Manage cookie consent with ease
Cookie Consent Management PlatformWhat is user consent?
In the context of data privacy, user consent is the act of a person (the user) giving you permission to collect and use their personal information for a specific purpose.
What is ‘valid’ user consent?
Valid consent means that a user has given their consent in a way recognized by the data privacy laws in effect. Depending on the laws that apply to you and your users, ‘valid’ user consent can have different meanings. This is why we always recommend that businesses comply with stricter regulations like the GDPR, ePrivacy Directive, and CCPA to ensure global compliance. These laws require consent to be ‘explicit’ to be ‘valid’, which means:
- The person isn’t pressured or required to give their consent (consent is freely given).
- They know exactly what data will be collected and why (consent is informed and specific).
- Their permission is clear and obvious, not guessed or assumed (consent is unambiguous).
- They are fully aware that they are giving their consent (consent is active).
- They can change their mind and take back their permission whenever they want (consent is revocable).
Can you collect personal data without valid user consent?
No, collecting or processing personal data is prohibited without user consent, unless there are other legal bases such as legal obligations, vital interests of the data subject, public interest, and legitimate interest.
What are the different types of user consent?
Explicit consent (Expressed)
Explicit consent is when permission is clearly and directly given, e.g., if a user clicks “accept” on a cookie banner to consent to cookies being set on their browser. Nothing is left implied or assumed. This is the most common type of valid consent and is required by laws like the GDPR and the ePrivacy Directive.
You can obtain explicit consent with our cookie banner generator.
Implicit consent (Implied)
Implicit consent is when permission is derived from actions or behavior, without the person directly saying or confirming it.
Freely given consent
Freely given consent (sometimes called voluntary consent) is when consent is given with a genuine choice, free from pressure or negative consequences. The person must have real control over their decision.
Specific consent
Specific consent is when permission is only given for a particular purpose that is fully explained. For example, if a user consents to their email address being collected for the purpose of sending them a receipt for a purchase, they have not consented to their email address also being used for targeted advertising.
Informed consent
Informed consent is when a user gives consent with full understanding of what they are consenting to. In the context of data privacy, a user would be giving informed consent for data processing if prior to being asked, they have been told who is collecting their data, what data is being collected, how it will be used, and of their right to withdraw consent.
Unambiguous consent
Unambiguous Consent is when permission is given with a clear, active confirmation through an opt-in, statement, or positive action. It cannot be assumed or implied. While written consent is ideal, an electronic consent mechanism is acceptable for a website, e.g. a cookie banner popup or a tick box at the base of your terms and conditions contract.
Opt-in consent
Opt-in consent is when an activity that requires consent isn’t performed until a user actively provides it. An example of opt-in consent would be if a website blocks cookie scripts from setting until a user has clicked a button on their cookie banner that says “accept cookies”. Most data privacy laws require organizations obtain opt-in prior to processing any personal data.
Opt-out consent
Opt-out consent is when consent is assumed unless the person actively says “no” or takes action to refuse. For example, if a website tracks its users with Google Analytics prior to obtaining consent, but disables tracking if the user clicks the “Decline cookies” button located on their cookie banner.
Granular consent
Granular consent is when permission is given for specific parts of a process, allowing the person to choose exactly what they agree to. In the context of cookie consent, a website owner can obtain granular consent by allowing their users to opt-in to specific types of cookies (e.g. advertising cookies or performance cookies) within their cookie banner, rather than accepting or declining all cookies.
Active consent
Active consent is a type of explicit consent that requires deliberate action, like clicking “Accept,” to show agreement. It’s clear and intentional.
Passive consent
Passive consent is a type of implicit consent where consent is assumed if the person doesn’t specifically withdraw consent, e.g., if a website sets cookies when a user continues to use a website without declining the use of cookies.
Withdrawable consent
Withdrawable consent is when consent is given with the freedom to take it back at any time, giving the person the freedom to change their mind.
Bundled consent
Bundles consent is when consent is given for multiple things grouped together, where agreeing means accepting all at once. In the context of data privacy, an example of bundled consent is when a cookie banner only provides users the option to accept all cookies or reject all cookies, with no option to give granular consent.
Advance consent
Advanced consent is when permission is given ahead of time for something that will happen in the future, e.g., asking a user to agree to the sharing of their personal data before creating an account.
Substituted consent
Substituted consent is when someone else gives permission on behalf of a person who cannot decide for themselves, e.g. The COPPA rule requires substitute consent for children under the age of 13, whereby website owners must obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of personal information from persons under age 13.
Explicit consent (expressed) vs implicit consent (implied)
The difference between explicit consent and implicit consent is that explicit consent is expressed through clear actions or statement, while implicit consent is implied or assumed through behaviour. Strict data privacy laws like the GDPR and CCPA require you to obtain explicit consent before processing a user’s personal data, whereas some privacy laws only require you to obtain ‘implicit’ consent or ‘implied’ consent.
For example, if you are asking a user for their consent to use cookies:
- Explicit consent: If your website uses a cookie banner to inform your users that you would like to set cookies that will enhance their experience, but only if they click “Accept,” otherwise they may click “Decline” and continue to use the site without cookies being enabled.
- Implied consent: If your website uses a cookie banner that only blocks cookies if the user clicks “Decline,” making the assumption that the user has consented because they have continued browsing the site without interacting with the cookie banner.
| Type of user consent | Category of consent |
| Opt-in Consent | Expressed |
| Opt-out Consent | Implied |
| Active Consent | Expressed |
| Passive Consent | Implied |
| Granular Consent | Expressed |
| Bundled Consent | Expressed |
| Withdrawable Consent | Expressed |
| Advance Consent | Expressed |
| Substituted Consent | Expressed |
How do I obtain user consent to use cookies?
To obtain consent to use cookies, you’ll need a consent mechanism such as a cookie banner. Here’s how to obtain user consent with a cookie banner:
1. Choose a trusted Cookie Banner service
Find a GDPR and CCPA compliant cookie banner that is capable of requesting explicit consent, like the GetTerms Consent Management Platform.
It enables users to accept or reject cookies and makes withdrawing consent as easy as giving it.
It clearly explains what data will be collected and why with links to your cookie policy.
It automatically blocks cookies until consent is given and requests active consent via a button click with no pre-ticked checkboxes or functions that assume consent.
2. Write an informative cookie consent message
Add a message to your cookie banner explaining your use of cookies and include links to your privacy policy.
Here’s an example cookie consent message:
“We use cookies to improve your experience on this website. You may choose which types of cookies to allow and change your preferences at any time. Disabling cookies may impact your experience on this website.”
3. Enable all consent settings
- Configure your cookie banner to automatically block cookies
- Add a button to accept all or reject all cookies
- Allow users to reject all cookies
- Enable granular consent options
- Enable Google Consent Mode
4. Ensure no tick boxes are pre-ticked
5. Add the cookie banner to your website
Most cookie banners provide instructions on how to add their product to your website. GetTerms offers two different methods for adding the Cookie Consent Widget:
- Via embed code
- Via WordPress Plugin
6. Install your Google Analytics Tag with Google Tag Manager
Set up Google Analytics to only fire when consent is given via your cookie banner. You can follow our guide on how to set up the GetTerms cookie banner for explicit consent.
Related Articles
How to Set Up the GetTerms Cookie Banner for Explicit Consent
Step 1: Install Google Tag Manager Template Add the ‘GetTerms Consent Management‘ Tag Template to your workspace In your ‘Google…
