Consent

Under GDPR, consent must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action — silence, pre-ticked boxes, or inactivity do not constitute consent. Organizations must be able to demonstrate that consent was given and must make it as easy to withdraw consent as it was to give it. Consent must be granular: separate consent for each processing purpose. For children under 16 (or lower age set by member states, minimum 13), parental consent is required. Under CCPA, consent works differently: the default model is opt-out rather than opt-in. Businesses can collect and use personal information without affirmative consent but must provide the ability to opt-out of data sales and sharing.