Skip to content

Consent plays a role in almost all modern privacy statutes. In some privacy statutes, like the GDPR, it can function as one of many lawful purposes to process data. In other privacy statutes, like the VCDPA and the CPA, it is mandated for certain types of data processing (e.g., sensitive category data processing).  How consent is defined, however, differs between and among statutory and regulatory schemes. The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:

Definition of Consent

Europe
GDPR

“ . . . any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”[4]

 

 

California
CCPA

De Facto Sensitive As Given Enhanced Litigation Rights[1]

The CCPA does not define the term “consent.”[5]
California
CPRA

Defined as Sensitive Personal Information[2]

“ . . . any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer . . . including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.”[6]
Virginia
VCDPA[3]
“. . . a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.  Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”[7]
Colorado
CPA
“. . . a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.”[8]

In addition to the general definition, some modern data privacy statutes include certain requirements or conditions for consent to be considered effective. The following provides a side-by-side comparison of statutorily enumerated requirements for effective consent:[9]

Evidence of consent.  Controller must be able to demonstrate data subject has consented.

 

Right of withdrawal.  Data subject has a right to withdraw consent at any time.

Europe
GDPR
[11]
California
CCPA

(While the CCPA does not define consent the below apply to the “intentional use and direction” exception to sale)

[12]
California
CPRA
[13] 
Virginia
VCDPA[10]
Colorado
CPA

In addition, some modern privacy statutes include examples of activities that will not be considered sufficient to evidence consent (green ✔ signifies a prohibition):

Europe
GDPR
California
CCPA

 

California
CPRA

 

Virginia
VCDPA[14]
Colorado
CPA
Express prohibition on using consent to general terms (e.g., EULA) as evidence of consent in relation to privacy practices. [15]

[16]

 

[17]

 

Express prohibition on considering hovering over a piece of content as consent. ✘ / ✔[18] ✘ / ✔[19]

[20]

 

[21]

 

Express prohibition on closing a piece of content as consent. ✘ / ✔ ✘ / ✔[22]

[23]

 

[24]
General prohibition against the use of dark patterns to obtain consent. ✘ / ✔[25]

[26]

 

[27]
Caution against conditioning performance of a contract (or other benefit) on consent. [28]

[1]   Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).

[2]   Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).

[3]   Va. Code 59.1-571 (2021).

[4]   GDPR, Art. 4(11).

[5]   While the term is not defined within the CCPA, it should be noted that the statute uses the word “consent” in some parts (e.g., as part of opting-in to a financial incentive program), and in other sections uses consent-like concepts but with different terminology (e.g., intentional use or direction to share personal information with a third party)

[6]   Cal. Civ. Code 1798.140(h) (West 2020).

[7]   Va. Code 59.1-571 (2021).

[8]   C.R.S. § 6-1-1303(5) (2021).

[9]   Note that even if a statute does not contain a specific requirement for consent to be effective, it is possible that a court or supervisory authority could take the position that the requirement is implied by the statute.

[10]  Va. Code 59.1-571 (2021).

[11]  GDPR, Art. 7(1) (stating “controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data).

[12]  GDPR, Art. 7(3) (stating “data subject shall have the right to withdraw his or her consent at any time”).

[13]  While the CPRA does not confer a right to withdraw consent after it has been granted, note that the CPRA does provide rights to object to certain processing activities.  Those objections, however, are independent of any consent-based processing that has occurred.

[14]   Va. Code 59.1-571 (2021).

[15]   GDPR, Art. 7(2) (stating that “request for consent shall be presented in a manner which is clearly distinguishable from the other matters”).  See also EDPB, Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 (adopted 4 May 2020) at para. 13 finding that consent that is “bundled up as a non-negotiable part of terms and conditions is presume not to have been freely given.”

[16]   Cal. Civ. Code § 1798.140(h) (West 2021).

[17]   C.R.S. § 6-1-1303(5)(a) (2021).

[8]   While not expressly prohibited by the statute, hovering over or closing a piece of content is unlikely to be viewed as sufficient consent by several European supervisory authorities.

[19]   As noted above the CCPA does not define “consent.”  It does, however, incorporate consent concepts in the definition of “sale” by stating that if a “consumer uses or directs the business to intentionally disclose personal information” such activity does not constitute a sale.  In that context, the statute states that “hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”  Cal. Civ. Code §1798.140(t)(2)(A) (West 2020).

[20]   Cal. Civ. Code § 1798.140(h) (West 2021).

[21]   C.R.S. § 6-1-1303(5)(b) (2021).

[22]   As noted above the CCPA does not define “consent.”  It does, however, incorporate consent concepts in the definition of “sale” by stating that if a “consumer uses or directs the business to intentionally disclose personal information” such activity does not constitute a sale.  In that context, the statute states that “hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”  Cal. Civ. Code §1798.140(t)(2)(A) (West 2020).

[23]   Cal. Civ. Code § 1798.140(h) (West 2021).

[24]   C.R.S. § 6-1-1303(5)(b) (2021).

[25]   While not expressly prohibited by the statute, several supervisory authorities have issued guidance against dark patterns and / or nudging.

[26]   Cal. Civ. Code § 1798.140(h) (West 2021).

[27]   C.R.S. § 6-1-1303(5)(c) (2021).  Dark patterns is defined as a “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” C.R.S. § 6-1-1303(9) (2021).

[28]   GDPR, Art. 7(4).  While conditioning access to a product or service on consent is not prohibited under the GDPR, it is identified as a factor to be evaluated when determining whether consent is “freely given.”