GDPR Consent Management Template
Implementation checklist for valid GDPR consent under Article 7: granular, informed, freely given, unambiguous, and as easy to withdraw as to give.
Quick Answer
GDPR consent must be freely given, specific, informed, and unambiguous — with granular purpose-by-purpose tick boxes, a timestamped audit trail, and a withdrawal mechanism as easy as the original consent.
Compliance Checklist (8 items)
Penalty if not compliant
Up to €20 million or 4% of global annual turnover; plus risk of enforcement action for all processing undertaken on the basis of invalid consent.
Frequently Asked Questions
Can I rely on consent for direct marketing emails?
Yes, but it is often safer to use legitimate interests for B2B marketing to existing contacts. For consumer marketing, GDPR and PECR require affirmative opt-in consent for electronic marketing to individuals.
How long is consent valid?
The GDPR does not specify a time limit. In practice, supervisory authorities suggest refreshing consent every 12-24 months, or whenever the processing purpose changes materially.
Does consent need to be written to be valid?
No, consent can be given verbally or via a digital action (e.g., clicking a button). However, the controller must be able to demonstrate that valid consent was given, so a written or logged record is strongly recommended.
Need this turned into a real document?
Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.