The 5 GDPR requirements for valid consent wording (Article 4(11) + Recital 32): consent must be freely given (no detriment for refusing), specific (one purpose at a time), informed (controller identity, purposes, retention), unambiguous (clear affirmative action — no pre-ticked boxes), and withdrawable as easily as it is given. Wording that bundles multiple purposes, hides withdrawal mechanisms, or uses default-on toggles fails any DPA review.
The wording you put on a consent form determines whether the consent is valid under GDPR Article 4(11). Vague language (“we may use your data to improve our services”) fails. Multi-purpose toggles fail. Pre-ticked boxes fail. This guide provides copy-ready wording for the 8 most common consent scenarios, each tested against CNIL and EDPB enforcement priorities of 2024-2025.
For the broader consent framework, see our GDPR consent examples. For the opt-in vs opt-out distinction, GDPR opt-in opt-out guide. For the lawful basis alternative, legitimate interest guide.
Key takeaways
- Consent wording must name the controller, the purpose, and the recipients explicitly.
- Each purpose requires a separate granular checkbox — no bundling.
- Withdrawal mechanism must be described and as easy as giving consent.
- For special categories of data (health, religion, biometrics): explicit consent required with even more precise wording.
- The CNIL has issued multiple sanctions in 2024-2025 (totalling €30M+) for consent wording failures.
1. Cookie banner — analytics consent
Compliant wording
We use cookies for two purposes:
[ ] Strictly necessary cookies — required for the site to function.
(Always active, no consent needed.)
[ ] Analytics cookies (Google Analytics 4) — to measure site usage.
These cookies collect anonymized event data sent to Google in the EU.
Retained: 14 months. You can withdraw at any time via the
"Cookie preferences" link in our footer.
[ Refuse all ] [ Customize ] [ Accept selected ]
What makes this compliant
- Explicit purpose (“measure site usage”)
- Recipient named (“Google”)
- Retention period stated
- Withdrawal mechanism described
- Refusal as visually prominent as acceptance
- No pre-ticked boxes
What fails
- ❌ “We use cookies to improve your experience. [Accept]” — no purpose, no recipient, no granular choice
- ❌ Pre-ticked analytics box
- ❌ “Accept all” button with no equivalent “Refuse all”
- ❌ Refuse only available after 2-3 clicks
2. Newsletter sign-up
Compliant wording
Subscribe to our weekly newsletter
[ ] I consent to receive marketing emails from [Company SAS, 12 rue X,
75001 Paris] about [GDPR compliance products and content].
Frequency: 1 email per week. You can unsubscribe at any time
using the link in every email or by writing to privacy@company.com.
Your email is retained for 24 months after the last interaction.
[ Subscribe ]
What makes this compliant
- Controller fully identified
- Topic of marketing specified
- Frequency disclosed
- Two withdrawal channels
- Retention period stated
3. Marketing personalization based on behavior
Compliant wording
[ ] I consent to [Company] using my browsing history on company.com to
personalize the content and product recommendations I see during my
next visits. Recipients: [Company] only — no third-party transfer.
Retention: 12 months from last visit. Withdrawal: account settings →
Privacy → "Disable personalization", takes effect within 24h.
[ Confirm ] [ Skip ]
4. Employee monitoring (caution: consent rarely valid for employees)
The CNIL and EDPB have repeatedly stated that consent is generally not valid for employer-employee processing because of the power imbalance. Use legitimate interest or legal obligation instead. If consent is unavoidable (e.g., for non-essential perks):
Compliant wording
This consent is voluntary. Refusal will not affect your employment
relationship, salary, evaluation, or career progression in any way.
[ ] I consent to my participation in the [internal mentorship program],
which involves [Company] sharing my contact details and area of
expertise with other employees. Withdrawal at any time via the
HR portal, with no consequence.
[ Confirm ]
5. Special category data — health (Article 9)
For sensitive data (health, religion, sexual orientation, etc.), Article 9 requires explicit consent — typically a written or otherwise unambiguously documented confirmation.
Compliant wording
Your medical record contains data classified as "health data" under
Article 9 GDPR. To process this data for the purpose of [providing
remote consultation services], we need your explicit consent.
[ ] I expressly consent to [Clinic SAS] processing my health data —
specifically my consultation notes, prescriptions, and test results
— for the purpose of providing remote consultation services.
Recipients: [Clinic SAS] only. Retained for the legal medical
record period (20 years post-consultation under French law).
Withdrawal: at any time, via [process], without affecting the
quality of care for ongoing treatments.
[ I expressly consent ]
6. Children (under 16, or lower threshold per Member State)
Article 8 GDPR requires verification that the consent of the holder of parental responsibility was given. For children under 16 (or under 13-15 depending on Member State):
Compliant wording
You appear to be under 16 years old. Before we can create your account,
we need verification that your parent or guardian has authorized this.
Please ask your parent/guardian to enter their email below. We will send
them a verification message describing what we collect and how we use it.
[ Parent/guardian email ] [ Send verification ]
7. Photo or video — likeness consent
Common scenarios: company photos, event recordings, marketing material.
Compliant wording
[ ] I consent to my photograph being captured during the [event name]
on [date] and used by [Company] for [marketing purposes on the
company website, LinkedIn, and brochures]. Retained for [3 years].
Withdrawal: email privacy@company.com to request removal of any
photo containing me. Note: photos in printed materials cannot be
recalled, but no new prints will be made.
[ I consent ]
8. Data sharing with named third parties
Compliant wording
[ ] I consent to [Company] sharing my email address with the following
partner companies for the purpose of receiving offers from them:
[Partner A — type of offers], [Partner B — type of offers].
Each partner becomes the data controller of your data once shared.
Withdrawal of consent stops future sharing but does not undo past
sharing — to remove your data from a partner's database, contact
them directly.
[ I consent ]
9. Common wording failures (CNIL 2024-2025 enforcement)
The CNIL fined multiple companies in 2024-2025 for consent wording failures. Patterns:
| Failure | Example | Fix |
|---|---|---|
| Bundled purposes | “I accept the terms and consent to marketing.” | Two separate checkboxes |
| Pre-ticked boxes | Analytics box checked by default | Default unchecked, user must tick |
| Vague purpose | “to improve our services” | Specific purpose: “to send weekly newsletter” |
| Missing recipient | No mention of which third parties | Name each recipient |
| Asymmetric refusal | Big “Accept” button, hidden “Refuse” | Equally visible refusal |
| No withdrawal info | “You can change your mind” | Specific channel + timing |
| Forced consent for service | “You must accept cookies to use the site” | Refusal must be possible without losing service |
10. Wording validation checklist
Before publishing a consent form, verify:
- ☐ Controller fully identified (legal name + address)
- ☐ Purpose stated specifically (not “to improve”)
- ☐ Recipients named (not “our partners”)
- ☐ Retention period stated
- ☐ Withdrawal channel stated and as easy as consent
- ☐ Each purpose has its own checkbox
- ☐ No pre-ticked boxes
- ☐ Refusal as visually prominent as acceptance
- ☐ For Article 9 data: explicit consent language
11. Tooling for consent wording
Legiscope audits consent wording on collection forms automatically: detects bundled purposes, missing recipients, pre-ticked boxes, asymmetric UI. For a SaaS with 5-15 collection points, the audit takes minutes vs. days of manual review.
For related implementation guides: GDPR consent examples, GDPR information notices, cookie consent compliance guide, GDPR legitimate interest.
Conclusion
Consent wording is the most-audited element of a privacy program. The CNIL alone issued 21 cookie/consent sanctions in 2025. The compliant patterns are well-established — the failures repeat the same mistakes (bundling, vague purpose, pre-ticked boxes, asymmetric refusal). Using the templates in this guide, calibrated to the CNIL and EDPB criteria, removes the most common failure modes.
FAQ
Does GDPR consent wording need to be in a specific format?
No specific format, but it must satisfy Article 4(11): freely given, specific, informed, unambiguous, withdrawable. The wording must include the controller’s identity, the purposes, the recipients, retention period, and how to withdraw. Use plain language, not legal jargon.
Are pre-ticked checkboxes ever valid for GDPR consent?
No. The CJEU confirmed in Planet49 (Case C-673/17) that pre-ticked boxes do not constitute valid consent. The user must take an active, affirmative action.
Can I bundle multiple purposes into one consent?
No. Each separate purpose requires its own granular consent. Bundling (e.g., “I accept the terms and consent to marketing”) is one of the most common failure modes the CNIL sanctions.
Is “implied consent” valid under GDPR?
No. GDPR requires unambiguous consent through a clear affirmative action. Continued use of a site, scrolling, or non-objection do not constitute consent. The cookie banner that says “by continuing, you accept” is invalid.
What’s the difference between consent and legitimate interest?
Consent (Article 6(1)(a)) requires explicit user permission and can be withdrawn at any time. Legitimate interest (Article 6(1)(f)) does not require consent but requires a documented balancing test showing the controller’s interest outweighs the data subject’s rights. Many marketing activities can use legitimate interest instead of consent — see our legitimate interest guide.
See Legiscope in action
AI-powered GDPR compliance that saves 340+ hours/year. Trusted by compliance professionals across Europe.
Request a demo
