GDPR Consent Management Checklist

Consent is appropriate only when the processing is genuinely optional and the data subject has a real choice. If processing is necessary for a contract, required by law, or justified by legitimate interests, use those legal bases instead. Misidentifying the legal basis — particularly claiming consent for processing that is actually necessary for contract performance — was a central issue in the Meta Ireland enforcement actions.

"Take it or leave it" consent tied to service access is not freely given. The power imbalance between a controller and a data subject in a service relationship weighs against genuine freedom. Controllers must offer an equivalent service without consent to non-essential processing, or accept that consent is invalid. EDPB guidance specifically prohibits "consent or pay" models in most circumstances unless the payment option is genuinely equivalent.

Blanket consent for all purposes is invalid. Consent must be obtained separately for each distinct purpose — analytics, marketing, personalization, sharing with third parties. Group together only processing purposes that are so closely linked that data subjects would reasonably expect them to be bundled. Pre-ticked boxes for any purpose constitute implied consent, which does not meet the GDPR standard.

Before consent, data subjects must know: who the controller is, what data will be processed, the specific purpose(s), whether data will be shared with third parties (and who they are), and the right to withdraw consent at any time. Disclosures must be in plain language appropriate to the audience — if collecting data from children, use child-appropriate language. Post-consent disclosure does not satisfy the informed requirement.

Silence, pre-ticked boxes, inactivity, and scrolling past a banner do not constitute unambiguous consent. Require an active positive action: clicking an "I Accept" button (for a single purpose), ticking an unticked checkbox (for each granular purpose), or making a clear affirmative statement. The opt-in action must be clearly distinguishable from other actions on the same page.

Your cookie banner must: present a genuine accept/reject choice on the first layer without requiring the user to click through to reject; not use dark patterns (grey-out reject, disproportionate button sizes, pre-ticked boxes); provide separate controls for analytics and marketing cookies; and not place non-essential cookies before consent is obtained. Major CMPs (OneTrust, Cookiebot, Usercentrics) provide pre-configured templates that meet these requirements when properly configured.

Article 7(1) places the burden of proof on the controller to demonstrate consent was given. Consent records must capture: data subject identity, date and time of consent, the consent text presented, the specific purposes consented to, the version of the privacy notice shown, and the channel through which consent was obtained. Retain consent records for as long as the processing continues plus a reasonable additional period for dispute resolution.

Withdrawing consent must be as easy as giving it. If consent is obtained with one click, withdrawal must also be one click — not buried in account settings, not requiring a written request, not conditional on explaining a reason. Process withdrawals promptly. For email marketing, this means removing from mailing lists within 10 business days at most. Cessation of processing after withdrawal does not affect the lawfulness of processing before withdrawal.

Consent obtained for one purpose does not cover new or changed purposes added later. If you expand your marketing program, add new third-party sharing, or change the data you process, you must obtain fresh consent for the new processing. A change in privacy notice language alone does not re-consent users — you must reach out through the channel where consent was originally obtained and obtain affirmative opt-in again.

GDPR Article 8 sets the age of consent for information society services at 16 by default, with member states able to lower to 13. If children below the applicable age may use your service, you must verify age and obtain parental or guardian consent. The standard for assessing what reasonable efforts to verify age are required is based on the risk of harm to children from the processing. Implement a robust age assurance mechanism proportionate to that risk.

There is no statutory expiry date for GDPR consent, but regulators and best-practice frameworks recommend refreshing consents every 12-24 months for direct marketing and every 6-12 months for sensitive processing. A consent refresh program reaches data subjects who have not engaged with your communications recently and confirms their continued consent. Remove from active processing lists those who do not respond to refresh campaigns within 30 days.

The EDPB Cookie Banner Taskforce (2023) defined prohibited dark patterns: interface that makes reject harder than accept; pre-selected options; consent "walls" blocking content; misleading wording ("Disagree" framed as the negative option while "I agree with the terms" is the positive); and repeated consent nudging after a data subject has already rejected. Conduct a UX audit of all consent flows against the EDPB dark patterns guidance.

When a user withdraws consent, that withdrawal must propagate to every system that was processing data on the basis of that consent — not just the primary marketing platform. This includes email service providers, CRM systems, advertising platforms, analytics tools, and any third parties with whom data was shared under the original consent. Document the propagation chain and retain evidence that withdrawal was fully actioned.

Double opt-in (sending a confirmation email requiring the subscriber to click a link to confirm their subscription) is not required by GDPR but is strongly recommended as best practice for three reasons: it provides higher-quality consent evidence, it reduces spam complaints, and it creates a natural audit trail. Under PECR, consent for direct marketing by electronic means must be obtained before the first communication — double opt-in ensures this is met.

GDPR consent failures are often the result of product and engineering decisions made without privacy input — defaulting to pre-checked boxes, making reject buttons less prominent, or adding tracking scripts without CMP integration. Annual training for product and marketing teams should cover: what valid consent looks like, how to review consent UI against EDPB guidelines, and how to escalate design decisions that implicate consent to the privacy team.

Marketing pixels (Meta Pixel, Google Analytics, LinkedIn Insight Tag, etc.) that track browsing behavior are subject to GDPR consent requirements. Use a tag management system (Google Tag Manager, Tealium) to fire tags only after consent is obtained for the relevant purpose. Conduct quarterly audits of all active tags to confirm: (1) the tag is listed in your CMP; (2) the purpose category matches the tag function; (3) the tag does not fire before consent.

Document the complete consent management policy: which processing activities use consent as the legal basis, the mechanism for obtaining each type of consent, the format and content of consent records, the withdrawal process, the consent refresh schedule, and the process for re-consenting when purposes change. The policy should assign owners for each step and include escalation paths for ambiguous situations.

DPAs that investigate consent practices request: your consent records (can you produce evidence of consent for a specific individual?), your consent notice (what was the data subject shown at time of consent?), your CMP configuration, your withdrawal process, and your propagation documentation. Run an internal mock audit annually to confirm you can respond to each of these requests within 24 hours. Identify and remediate gaps before an actual investigation.