GDPR consent management is one of the most operationally demanding compliance obligations. Getting consent right is not just about displaying a cookie banner – it requires a structured lifecycle covering collection, recording, withdrawal, and renewal of consent across every processing activity that relies on Art. 6(1)(a) GDPR. The CNIL fined Criteo EUR 40 million (Deliberation SAN-2023-001, 15 June 2023) for consent management failures that included pre-ticked boxes, missing withdrawal mechanisms, and incomplete consent records. This article covers the legal requirements, the consent lifecycle, and how to choose and operate a consent management platform that actually meets the standard.
Key Takeaways
- Valid consent under GDPR must be freely given, specific, informed, and unambiguous (Art. 4(11)) – and the controller must be able to prove it (Art. 7(1)).
- Consent management covers the full lifecycle: collection, storage, withdrawal, and renewal.
- Consent management platforms (CMPs) must support granular purpose-level consent, not bundled opt-in.
- Withdrawal must be as easy as giving consent (Art. 7(3)) – a requirement most organizations still fail.
Legal Requirements for GDPR Consent
The GDPR defines consent in Art. 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes.” Art. 7 GDPR then adds four operational requirements that shape how consent management must work in practice.
Art. 7(1): Demonstrable consent
The controller must be able to demonstrate that the data subject consented. This means consent records must include: who consented, when, what information they were given, and what they consented to. A checkbox without a timestamp, user identifier, and version of the privacy notice presented is insufficient.
The EDPB Guidelines 05/2020 on consent clarify that the burden of proof lies entirely on the controller. If you cannot produce the consent record, consent is deemed not to have been obtained.
Art. 7(2): Distinguishable and clear
When consent is obtained in the context of a written declaration that also concerns other matters (e.g., terms of service), the consent request must be “clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” Bundling consent with terms of service acceptance violates this requirement.
The AEPD fined Google EUR 10 million (Decision PS/00094/2020, 18 May 2021) for bundling consent for advertising personalization with account creation, making it impossible for users to consent to the service without also consenting to advertising.
Art. 7(3): Easy withdrawal
Data subjects must be able to withdraw consent at any time, and “it shall be as easy to withdraw as to give consent.” If consent was given with one click, withdrawal must also require no more than one click. The CNIL has consistently enforced this standard – in the Criteo decision, the CNIL noted that users could accept cookies in one click but needed to navigate multiple menus to refuse them.
Art. 7(4): Freely given
Consent is not freely given if the performance of a contract is made conditional on consent that is not necessary for the contract. Under Art. 7(4), a service that requires consent to advertising as a condition of access violates the “freely given” requirement unless advertising is genuinely necessary for service delivery.
The Consent Lifecycle
GDPR consent management is not a one-time event. It requires managing four distinct phases:
Phase 1: Collection
Consent must be collected before processing begins. For cookie-based tracking, this means before cookies are set – not after. The CJEU in Planet49 (C-673/17, 1 October 2019) confirmed that pre-ticked checkboxes do not constitute valid consent and that cookies placed before active consent violate the ePrivacy Directive (Art. 5(3) Directive 2002/58/EC) and the GDPR.
Collection mechanisms must present:
- The identity of the controller
- Each distinct purpose of processing
- The types of data processed for each purpose
- The right to withdraw consent at any time
- Whether data will be transferred to third parties
For practical examples of compliant consent forms, see our guide on GDPR consent examples.
Phase 2: Recording
Every consent event must be recorded with sufficient detail to satisfy Art. 7(1). A compliant consent record includes:
| Field | Requirement |
|---|---|
| Data subject identifier | User ID, hashed email, or session identifier |
| Timestamp | Date and time of consent to the second |
| Version | Which version of the consent text was displayed |
| Purposes | Which specific purposes were accepted and refused |
| Method | How consent was collected (banner, form, verbal) |
| Source | URL or app screen where consent was collected |
Consent records must be retained for the duration of processing and for a reasonable period after, to satisfy the controller’s burden of proof. The EDPB has not specified a minimum retention period for consent records, but supervisory authorities expect them to be available for at least 3 years.
Phase 3: Withdrawal
Art. 7(3) requires that withdrawal be as easy as giving consent. Implementing this means:
- A visible, accessible link to a consent preferences center on every page
- The ability to withdraw consent for individual purposes, not just all-or-nothing
- Immediate cessation of processing upon withdrawal – including signaling to third parties and ad-tech partners
- Confirmation to the data subject that withdrawal has been processed
Phase 4: Renewal
Consent is not permanent. While the GDPR does not specify an expiration period, the EDPB and CNIL recommend renewing consent periodically – typically every 12 months for cookie consent and every 24 months for other processing purposes. The ICO’s guidance suggests that consent should be refreshed “at appropriate intervals” and that relying on consent obtained years ago is problematic.
Choosing a Consent Management Platform
A consent management platform (CMP) automates the consent lifecycle. Not all CMPs are equal, and several popular platforms have been found non-compliant by supervisory authorities. For a detailed comparison, see our consent management platforms comparison.
Key evaluation criteria for a GDPR-compliant CMP:
Granular purpose control. The CMP must allow data subjects to consent to or refuse each purpose independently. Bundled “accept all” without granular alternatives violates Art. 7(2).
Reject-all parity. The reject option must be as prominent and accessible as the accept option. The CNIL fined both Google (EUR 150 million) and Facebook (EUR 60 million) in Deliberations SAN-2022-002 and SAN-2022-003 (6 January 2022) specifically because their cookie banners offered “Accept All” in one click but required multiple clicks to refuse.
Consent signal propagation. The CMP must propagate consent signals to all third-party scripts and tags. A CMP that records consent but does not prevent non-consented cookies from firing is functionally non-compliant.
TCF 2.2 and Google Consent Mode v2. For organizations using programmatic advertising, the CMP should support the IAB Transparency and Consent Framework 2.2 and Google Consent Mode v2. As of March 2024, Google requires a certified CMP for ad personalization in the EEA.
Record export and audit trail. The CMP must provide exportable consent records for audit purposes, with immutable timestamps and version tracking.
Legiscope integrates with major CMPs to automatically map consent records to your processing activities, ensuring your ROPA reflects actual consent coverage across all purposes. See how Legiscope automates consent-to-processing mapping.
Common Consent Management Failures
Failure 1: Dark patterns. Using visual design to steer users toward accepting (e.g., green “Accept” button vs grey, small “Reject” text). The EDPB Taskforce Report on Cookie Banners (January 2023) identified dark patterns as the most common CMP compliance failure across 478 websites audited.
Failure 2: Cookie wall without alternative. Blocking access to a website unless the user consents to all cookies violates the freely given requirement unless a genuine, non-degraded alternative is available. The CNIL clarified in its Guidelines on Cookies (1 October 2020) that cookie walls are only permissible if a real alternative access method exists.
Failure 3: No consent record. Many organizations set cookies and track consent preferences in a cookie itself, which disappears when the user clears cookies – destroying the consent record. Consent must be stored server-side with immutable audit trails.
Failure 4: Failure to cascade withdrawal. When a user withdraws consent, all downstream processors and third parties must stop processing. If your CMP sends a consent signal to 40 ad-tech vendors on acceptance but does not signal withdrawal, you have an Art. 7(3) violation.
FAQ
Is consent always required under GDPR?
No. Consent is one of six legal bases under Art. 6(1) GDPR. Processing based on contractual necessity (Art. 6(1)(b)), legal obligation (Art. 6(1)©), or legitimate interest (Art. 6(1)(f)) does not require consent. However, consent is the only valid basis for non-essential cookies under the ePrivacy Directive and is often the most appropriate basis for marketing, profiling, and non-essential data collection.
How often must consent be renewed?
The GDPR does not specify a renewal period. The CNIL recommends renewing cookie consent every 13 months. The ICO recommends refreshing consent “at appropriate intervals.” For non-cookie processing, the EDPB suggests reviewing consent validity every 24 months. Controllers must assess whether the original consent remains valid given any changes in purpose, scope, or processing context.
What is the difference between a CMP and a cookie banner?
A cookie banner is a user-facing interface element. A consent management platform is the system behind it – handling consent collection, storage, withdrawal, signal propagation to third-party scripts, and record generation. A cookie banner without a CMP backend is typically non-compliant because it cannot manage consent records or enforce consent decisions across all processing activities.
Can I rely on browser settings (like Do Not Track) as a consent mechanism?
The EDPB has not endorsed browser settings as a valid consent mechanism under GDPR, because browser-level signals do not meet the “specific” and “informed” requirements of Art. 4(11). Do Not Track was never widely adopted. The Global Privacy Control (GPC) signal is recognized under some US laws (CCPA) but is not currently recognized as valid consent withdrawal under GDPR. Controllers must implement their own consent mechanisms.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
