The General Data Protection Regulation (GDPR) is a privacy law that applies to the collection, use, and processing of personal data in the European Union (EU). Consent is one of several legal bases for processing personal data under the GDPR, but not the only one: personal data can also be processed based on different legal grounds, such as legitimate interest, contract, or legal obligation.
GDPR consent must be freely given, specific, informed, and unambiguous. To obtain valid consent, organizations must provide individuals with clear and concise information about the purposes for which their personal data will be used, and they must obtain a clear and affirmative indication of the individual's consent to processing their data. This can be done through a consent form or a similar mechanism, such as a tick-box or a button, but not through opt-out mechanisms. Unlike other privacy laws, the GDPR does not consider implicit consent to be valid.