Consent Under GDPR

Consent is one of six lawful bases for processing personal data under GDPR. It must be freely given, specific, informed, and unambiguous. For web analytics, consent matters most for marketing tracking, personalization, and third-party cookies. Getting it right is foundational.

Requirements

Four Pillars

Article 7 GDPR and Recital 32 set out four mandatory traits.

Freely GivenSpecificInformedUnambiguous

Principles:

• Real choice without coercion or penalty
• No "coercion, pressure or deception"
• Cannot be tied to contract performance (tying/bundling)
• Equivalent alternatives exist

Factors:

• Power imbalance between controller and subject
• Conditional service provision
• Availability of alternatives
• Negative consequences of refusal

Requirements:

• Specific, clearly stated purposes
• Separate consent per purpose
• No "general" consent
• Granular management

In practice:

• Separate switches for analytics and marketing
• Cookie types and purposes described
• Clear breakdown of how data is used

Required information:

• Controller identity
• Processing purposes
• Data types
• Right to withdraw at any time
• Recipients
• Retention periods

Format:

• Plain, accessible language
• No legal jargon
• Visible and easy to find
• Translated to user's language

Valid mechanisms:

• Clear affirmative action
• No pre-checked boxes
• Active consent, never default
• Documented confirmation

Invalid:

• Silence or inaction
• Pre-checked boxes
• "Continued use as consent"
• Vague wording

Children's Consent

GDPR sets special rules:

• Minimum age: 16 (national law may lower it to 13)
• Parental consent below the age limit
• Reasonable effort to verify parental consent
• Special protection from exploitation of children's credulity

In Web Analytics

When Consent Is Required

Required:

• Third-party cookies for analytics
• Profiling for marketing
• Transferring analytics data to external partners
• Detailed user profiles
• Cross-site tracking and fingerprinting
• Behavioral ad targeting

Not always required:

• Basic analytics for site improvement (legitimate interests path)
• Strictly necessary cookies
• Anonymized analytics
• First-party analytics for performance

Cookie Types

Type	Consent Required	Lawful Basis	Examples
Strictly Necessary	No	Legitimate interests	Session, security
Functional	Usually no	Legitimate interests	Language, preferences
Analytics	Depends	Legitimate interests / Consent	First-party analytics
Marketing	Yes	Consent	Remarketing, behavioral targeting
Third-party	Yes	Consent	Social, external analytics

Granular Consent

graph TD
    A[Cookie Consent] --> B[Necessary]
    A --> C[Analytics]
    A --> D[Marketing]
    A --> E[Personalization]
    A --> F[Third-party]

    B --> G[Always active]
    C --> H{Consent obtained?}
    D --> I{Consent obtained?}
    E --> J{Consent obtained?}
    F --> K{Consent obtained?}

    H -->|Yes| L[Activate analytics]
    H -->|No| M[Block analytics]
    I -->|Yes| N[Activate marketing]
    I -->|No| O[Block marketing]

Granular implementation:

• Separate switches per category
• Partial consent without breaking core functionality
• Clear descriptions per category
• Independent management per purpose

Sample Interface

Cookie and Data Management:

✓ Necessary cookies
  Ensure basic site functionality
  (cannot be disabled)

☐ Analytics cookies
  Help understand how visitors use the site
  Data is anonymized

☐ Marketing cookies
  Used to show relevant advertising
  May track activity on other sites

☐ Personalization
  Remember your preferences and settings
  Improve user experience

Obtaining Consent

Banner Design

VisualContent

Equality of choice:

• "Accept" and "Reject" buttons of equal size and prominence
• No visual highlight of the consent button
• Neutral colors, no manipulation
• Clear structure

Avoid:

• Large bright "Accept" vs small "Reject"
• Hiding refusal in submenus
• Scare tactics
• Friction on the refusal path

Required elements:

• Brief explanation of cookie use
• Link to privacy policy
• Information about withdrawal
• Contact for data protection questions

Structure:

We use cookies for analytics and personalization

Necessary: ensure site functionality
Analytics: help improve the site (can be disabled)
Marketing: for relevant advertising (can be disabled)

[Accept All] [Reject] [Customize]

More details in privacy policy

Technical Implementation

Consent Management Platforms (CMP):

Core FunctionsStorage Requirements

Collection and Storage:

• Record time and method
• Store detailed consent
• Link consent to users
• Audit trail of changes

Integration:

• Auto activate/deactivate tracking
• Tie into web analytics
• Manage third-party scripts
• Sync consent across systems

Documentation per consent:

• Who (user identifier)
• When (timestamp)
• How (method)
• For what (purposes)
• Privacy policy version
• IP and user agent for context

Security:

• Protect records from unauthorized access
• Backups
• Access control
• Regular audit

Implementation example:

// Consent check before loading analytics
class ConsentManager {
    constructor() {
        this.consents = this.loadConsents();
    }

    hasConsent(purpose) {
        return this.consents[purpose] === true;
    }

    setConsent(purpose, granted) {
        this.consents[purpose] = granted;
        this.saveConsents();
        this.updateTracking();
    }

    updateTracking() {
        if (this.hasConsent('analytics')) {
            this.enableAnalytics();
        } else {
            this.disableAnalytics();
        }

        if (this.hasConsent('marketing')) {
            this.enableMarketing();
        } else {
            this.disableMarketing();
        }
    }
}

Withdrawal

Right to Withdraw

Principles:

• Withdrawal as easy as consent
• Effect is immediate
• Past processing remains lawful
• Users must be told about the right

Required capabilities:

• Easy access to settings
• One-click withdrawal
• Confirmation of receipt
• Stop the matching processing

Withdrawal in Analytics

Stop ProcessingNotify Third Parties

Actions:

• Halt new collection
• Disable cookies in scope
• Stop transfers to third parties
• Update user profile

Exceptions:

• Data on other lawful bases
• Anonymized data (no longer personal)
• Data needed for contracts
• Information required by law

Process:

• Inform recipients
• Request processing stop
• Document the notification
• Verify compliance

Privacy Control Center

Privacy Settings

Analytics cookies: ☑ Enabled
├ Last changed: March 15, 2024
├ [Withdraw consent]
└ More about analytics cookies

Marketing cookies: ☐ Disabled
├ Last changed: March 10, 2024
├ [Give consent]
└ More about marketing cookies

Personalization: ☑ Enabled
├ Last changed: March 1, 2024
├ [Withdraw consent]
└ More about personalization

[Save changes] [Withdraw all consent]

Special Cases

Multinational Organizations

Issues:

• Differing consent rules per jurisdiction
• Managing consent in global systems
• Multiple data protection standards
• Coordinating across legal systems

Solutions:

• Apply strictest standards globally
• Localize interfaces
• Centralized management with local adaptation
• Regular audits in every jurisdiction

Complex Analytics

Cross-device TrackingMachine Learning and AIReal-time Bidding (RTB)

Specifics:

• Consent must cover all devices
• Inform users about cross-device linking
• Allow withdrawal across all devices
• Sync settings between devices

Requirements:

• Consent for training data
• Information about automated decisions
• Right to opt out of automated profiling
• Explanation of decision logic

Specifics:

• Consent for transfer to many auction participants
• Information about scale and speed
• Programmatic consent management
• Compliance with IAB Europe TCF

Monitoring and Audit

Key Metrics

Metric	Description	Target
Consent rate	Percentage giving consent	40-70% (industry-dependent)
Granular adoption	Use of detailed settings	15-30%
Withdrawal rate	Frequency of withdrawal	< 5%
Re-consent rate	After withdrawal	20-40%

Quality monitoring:

• Analyze user paths in the consent flow
• Test interface clarity
• Measure decision time
• Correlate design with consent rate

Audit Preparation

For regulators:

• Full history of consents and changes
• Evidence of user awareness
• Process documentation
• Technical measures supporting GDPR compliance

Self-audit:

• Verify interface against GDPR
• Analyze process effectiveness
• Quality control of records
• Assess technical implementation

Consent under GDPR is both legal and technical. Done well, it builds trust and pays back in long-term business outcomes.

Statable develops analytics that respect every GDPR consent requirement. Built-in consent management, granular settings, automated withdrawal, and complete audit trails.

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Ready to implement GDPR-compliant consent management?

Register for free testing of our web analytics platform. Get built-in consent management system, granular privacy settings and full compliance with GDPR requirements for obtaining and managing user consents.

---

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.