Best Real-Life Explicit Consent GDPR Examples

Apr 15, 2025

The General Data Protection Regulation (GDPR), implemented in May 2018, transformed how organizations handle personal data within the European Union and beyond. A cornerstone of GDPR is the requirement for explicit consent, ensuring individuals have clear control over their personal data. Explicit consent must be freely given, specific, informed, and unambiguous, often requiring an affirmative action like ticking a box or signing a form. This article explores real-life examples of best practices for obtaining explicit consent under GDPR, highlighting organizations and industries that excel in compliance. With approximately 2000 words, we’ll dive into practical implementations, legal nuances, and lessons learned.

Understanding Explicit Consent Under GDPR

GDPR Article 4(11) defines consent as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.” Explicit consent goes a step further, requiring a higher standard for sensitive data, such as health, biometric, or political opinions (Article 9). Unlike implied consent, explicit consent cannot rely on pre-ticked boxes, silence, or inactivity.

Key principles include:

  • Granularity: Consent must be specific to each purpose of data processing.
  • Transparency: Individuals must understand what they’re consenting to.
  • Ease of Withdrawal: Consent must be as easy to withdraw as it is to give.
  • Affirmative Action: Consent requires a deliberate act, like clicking “I agree.”

Below, we examine real-world examples across industries, showcasing how organizations implement these principles effectively.

1. Healthcare: NHS Digital’s Patient Consent Portal

The UK’s National Health Service (NHS) Digital provides an exemplary model for explicit consent in healthcare, a sector handling sensitive personal data. NHS Digital’s patient consent portal allows individuals to control how their health data is shared for research and planning purposes.

Implementation

  • Clear Interface: The portal uses plain language to explain data usage, such as “Your data may be used to improve cancer treatments.” Users must actively opt-in via a checkbox for each purpose (e.g., research, service planning).
  • Granular Choices: Patients can consent to specific uses, like sharing data with universities but not private companies.
  • Withdrawal Option: A prominent “Opt-Out” button allows users to revoke consent at any time, with changes reflected instantly.
  • Transparency: The portal links to detailed privacy notices and FAQs, ensuring informed consent.

Why It Works

NHS Digital aligns with GDPR’s requirement for explicit consent by avoiding pre-ticked boxes and ensuring patients actively choose each data-sharing option. The granular approach respects user autonomy, while the withdrawal mechanism complies with Article 7(3). This model is particularly effective for sensitive data under Article 9, where explicit consent is mandatory.

Lessons Learned

  • Use simple, jargon-free language to enhance understanding.
  • Offer granular consent options to empower users.
  • Make withdrawal accessible and immediate.

2. E-Commerce: Zalando’s Consent Management Platform

Zalando, a leading European online fashion retailer, has implemented a robust consent management platform (CMP) that exemplifies GDPR compliance in e-commerce. With millions of users, Zalando handles vast amounts of personal data, from purchase histories to browsing habits.

Implementation

  • Pop-Up Consent Banner: Upon visiting Zalando’s website, users encounter a clear pop-up explaining data processing purposes, such as personalized ads, analytics, and third-party sharing.
  • Granular Controls: The banner includes toggle switches for each purpose, allowing users to consent to some but not others (e.g., analytics but not marketing).
  • No Pre-Ticked Boxes: All toggles default to “off,” requiring users to actively enable them.
  • Cookie Transparency: Zalando lists all cookies, their purposes, and third-party recipients in an accessible table.
  • Easy Updates: Users can revisit their preferences via a “Privacy Settings” link in the footer.

Why It Works

Zalando’s CMP adheres to GDPR’s requirement for affirmative action and granularity. By defaulting to “off” and providing detailed information, it ensures consent is informed and unambiguous. The ability to update preferences easily complies with GDPR’s withdrawal principle. This approach has helped Zalando avoid fines, unlike some competitors flagged by data protection authorities.

Lessons Learned

  • Default settings should never assume consent.
  • Provide detailed, accessible information about data use.
  • Ensure users can revisit and modify consent preferences effortlessly.

3. Financial Services: ING Bank’s Mobile App Consent Flow

ING Bank, a global financial institution, demonstrates GDPR-compliant consent in its mobile banking app. Financial institutions process sensitive data like transaction histories and credit scores, making explicit consent critical.

Implementation

  • Onboarding Consent: During app setup, users encounter a step-by-step consent flow explaining data processing purposes, such as fraud prevention, personalized offers, and regulatory reporting.
  • Explicit Opt-In: Each purpose requires a separate checkbox, with no pre-ticked options. For example, users must actively agree to marketing communications.
  • Plain Language: ING uses concise explanations, like “We’ll use your transaction data to detect suspicious activity.”
  • Revocation Portal: The app includes a “Privacy Dashboard” where users can withdraw consent for non-essential purposes, like marketing.
  • Audit Trail: ING logs consent actions, ensuring compliance with GDPR’s accountability principle (Article 5(2)).

Why It Works

ING’s consent flow is user-friendly and transparent, meeting GDPR’s requirements for informed and specific consent. The audit trail ensures traceability, a key aspect of GDPR compliance. By separating essential (e.g., fraud prevention) from non-essential (e.g., marketing) purposes, ING respects user choice while fulfilling legal obligations.

Lessons Learned

  • Separate consent for essential and non-essential purposes.
  • Maintain records of consent for accountability.
  • Integrate consent management into user-friendly interfaces.

4. Non-Profit Sector: Amnesty International’s Donation Form

Amnesty International, a global non-profit, showcases GDPR compliance in its online donation forms, where explicit consent is required for processing donor data.

Implementation

  • Clear Consent Section: The donation form includes a dedicated section for consent, with checkboxes for purposes like sending newsletters, sharing impact reports, or contacting donors about campaigns.
  • No Bundling: Each purpose requires a separate opt-in, avoiding bundled consent (e.g., donating doesn’t automatically enroll users in marketing emails).
  • Transparency: A link to Amnesty’s privacy policy explains data processing, retention periods, and third-party processors.
  • Withdrawal Mechanism: Donors receive a confirmation email with an “Unsubscribe” link and can update preferences via a user portal.

Why It Works

Amnesty’s approach ensures consent is specific and granular, aligning with GDPR’s requirements. By avoiding bundled consent, it respects donor autonomy. The clear withdrawal mechanism complies with Article 7(3), and the privacy policy link ensures transparency.

Lessons Learned

  • Avoid bundling consent for unrelated purposes.
  • Provide clear withdrawal options in follow-up communications.
  • Link to detailed privacy policies for informed consent.

5. Technology: Microsoft’s GDPR-Compliant Cloud Services

Microsoft, a leader in cloud computing, has implemented GDPR-compliant consent mechanisms across its services, such as Azure and Microsoft 365, particularly for enterprise customers handling personal data.

Implementation

  • Consent Templates: Microsoft provides customizable consent templates for businesses using its cloud services, ensuring GDPR-compliant language and structure.
  • Admin Consent Flow: For enterprise deployments, Microsoft requires explicit admin consent for data processing activities, such as telemetry or third-party integrations.
  • User-Level Consent: End-users are prompted to consent to specific features, like personalized recommendations in Microsoft 365, with clear opt-in mechanisms.
  • Data Processing Agreements (DPAs): Microsoft offers pre-signed DPAs that outline GDPR-compliant data processing terms, including consent requirements.
  • Consent Logs: Microsoft’s compliance dashboard allows businesses to track user consents, ensuring accountability.

Why It Works

Microsoft’s multi-layered approach caters to both enterprise and individual users, ensuring explicit consent at every level. The templates and DPAs simplify compliance for businesses, while user-level prompts respect individual rights. The consent logs align with GDPR’s accountability principle.

Lessons Learned

  • Provide tools to simplify compliance for clients.
  • Implement consent at both administrative and user levels.
  • Maintain detailed records for audit purposes.

6. Media: The Guardian’s Subscription Model

The Guardian, a UK-based news outlet, has implemented a GDPR-compliant consent model for its subscription and membership programs, balancing user experience with legal requirements.

Implementation

  • Subscription Sign-Up: During sign-up, users encounter a consent form explaining data uses, such as delivering newsletters, tracking reading habits, or serving targeted ads.
  • Granular Options: Users can opt-in to specific purposes, like newsletters but not ads, via checkboxes.
  • No Paywall for Consent: The Guardian ensures refusing non-essential consent (e.g., ads) doesn’t block access to content, aligning with GDPR’s “freely given” principle.
  • Preference Center: A dedicated portal allows users to update or withdraw consent at any time.
  • Cookie Banner: The website’s cookie banner mirrors the subscription model, with granular toggles and no pre-ticked boxes.

Why It Works

The Guardian’s model avoids coercive consent by ensuring users can access content without agreeing to non-essential data processing. The granular options and preference center empower users, while the cookie banner reinforces GDPR compliance across the site.

Lessons Learned

  • Avoid linking consent to access (no “consent walls”).
  • Offer a centralized portal for managing preferences.
  • Ensure website and subscription consent models are consistent.

Challenges and Common Pitfalls

While these examples highlight best practices, organizations often face challenges in implementing GDPR-compliant consent:

  • Consent Fatigue: Overloading users with consent requests can lead to disengagement. Solution: Streamline requests and use clear, concise language.
  • Dark Patterns: Some organizations use deceptive designs, like pre-ticked boxes or confusing opt-out processes, risking fines. Solution: Prioritize transparency and user autonomy.
  • Global Compliance: Organizations operating outside the EU must ensure GDPR compliance for EU residents. Solution: Implement universal GDPR standards for simplicity.
  • Legacy Systems: Older systems may not support granular consent or withdrawal. Solution: Invest in modern consent management platforms.

Conclusion

The examples above—from NHS Digital’s patient portal to The Guardian’s subscription model—demonstrate that GDPR-compliant explicit consent is achievable across industries. Key takeaways include using clear language, offering granular choices, ensuring easy withdrawal, and maintaining transparency. By prioritizing user autonomy and accountability, organizations can build trust while avoiding GDPR penalties, which can reach €20 million or 4% of annual global turnover. As data privacy evolves, these best practices serve as a blueprint for compliance in an increasingly regulated world.