What constitutes valid consent under GDPR?

GDPR consent must be a clear affirmative act-an unambiguous indication of agreement. This rules out pre-ticked checkboxes, silence, inactivity, or default settings. The subscriber must do something positive: check an unchecked box, click a specific opt-in button, type their email into a clearly-labeled subscription form. The act demonstrates intentional choice.

Consent must be specific and granular. A single consent covering all possible uses isn't valid; consent for marketing emails is separate from consent for data sharing with partners, which is separate from consent for profiling. Where you have multiple processing purposes, offer separate consent options for each rather than bundled \"agree to all.\"

Consent must be informed and freely given. \"Informed\" means clear explanation of who will email them, what content, at what frequency. \"Freely given\" means no coercion or conditionality-don't make service access contingent on marketing consent. Users must be able to receive core services while declining marketing. GDPR consent is permission that was knowingly, specifically, and voluntarily granted-each element matters, and weakness in any invalidates the whole.