(Gary Weingarden, Privacy Officer & Director IT Security Compliance | Published July 2025)
Consent is ubiquitous in modern law and privacy thinking. Some would say its privacy’s elixir; others strongly disagree. Consent is morally (and legally) transformative, or moral magic. As Heidi Hurd explains, “consent turns a trespass into a dinner party; a battery into a handshake; a theft into a gift; an invasion of privacy into an intimate moment.” But consent often becomes consent theater, and when it does, the spell is broken. I’ll explain why, but first I want to define consent and some related concepts.
Definitions
Transparency: Transparency means doing things in an open way without secrets. It’s generally considered a pre-requisite to consent. As the GDPR puts it, the information should be “concise, easily accessible and easy to understand, and that clear and plain language and . . . where appropriate, visualization [should] be used.” Transparency is often mistaken for consent, especially in the “notice and opt-out” model described below.
Consent: There are lot of definitions of consent, but for now I’ll go with “a freely given agreement to the conduct at issue by a competent person,” which I’ve borrowed from 10 U.S. Code § 920. We’ll unpack this and talk about some legal requirements below.
Waiver: A waiver is “the act of intentionally relinquishing or abandoning a known right, claim, or privilege,” according to the Merriam-Webster dictionary. Some experts see consent and waiver as twins. According to them, a person consents by waiving their right to object. If I’m questioned by the police, I can waive my right to remain silent and by doing so I also consent to custodial interrogation.
Forfeiture: A forfeiture occurs when a person loses a right either as a result of a legal violation or a failure to assert their rights on time. The difference between waiver and forfeiture is that a person must know they have a right and intentionally give it up for it to count as a waiver; forfeiture requires no knowledge or intention—it’s a legal consequence.
Contract: A contract is a legally binding agreement. While colloquial explanations often refer to a “meeting of the minds,” courts don’t take this literally in many cases. Contracts can be formed even though one of the parties didn’t read the document, or didn’t understand the language it was written in.
Anatomy of Consent
Our reliance on consent is based on the concept of human autonomy. As a result, there are some conditions that it needs to meet.
Subjective vs. Objective: Experts have debated whether consent is essentially subjective (what you think) or objective (what you do) or both. The debates involve some interesting hypotheticals. Practically, both count: If I consent because I was tricked, the consent may be invalid; and if you claim I consented, you’ll have a hard time proving your case unless you can point to something I said or signed. The true problem with consent is that mental states are mostly inaccessible and collecting them is difficult to operationalize with a form or a banner on a website.
Competency: Consent must be voluntary and given by a person who is competent to give it. Minors, those who have been adjudicated incompetent, those acting under duress or fraud, and in some cases those who are intoxicated are not competent to grant consent. Moreover, the person giving consent must have (at least apparent) authority to give it.
Informed and knowing: Consent must be informed, which means that the person granting consent must understand what they are consenting to and be aware that they are giving consent. This requires transparency.
Specificity: Consent usually must be specific. For example, there’s an exception to the Fourth Amendment’s warrant requirement, but if they’re relying on consent, police can’t exceed the scope of the consent.
Revocability: In most cases, the person who gave consent can withdraw it. Things get interesting when more than one person is competent to give consent.
Freely given. Consent must be freely given. This means consent may not be possible where the party receiving consent is more powerful than the party granting it. Similarly, consent where the consenter has no reasonable option (take it or leave it) or where the consent is “bundled” with other consents, it’s probably not valid.
In other words, getting consent right is hard; screwing it up is easy.
Problems with Consent
Consent by forfeiture: A classic kind of consent theater is notice and opt-out. The party that wants consent provides “notice” and then assumes consent unless the person opts-out. This approach is similar to the logic expressed in this clip (Note: some NSFW language) from the show Trailer Park Boys. In the clip, Ricky explains a two-part scheme: His helper, Trevor, grabs items from people’s lawns and moves them to the curb; afterwards, Ricky claims the items are garbage and carts them away. This approach has been “much criticized” and there is evidence that many companies ignore the opt-out requests they get. It also looks more like a forfeiture than consent and misses the mark on several consent requirements (including the informed and knowing requirement and the requirement that it be freely given). In other words, it’s not real consent.
Consent by dark pattern: The term “dark pattern” is difficult to define precisely, but in general dark patterns are website and app features that trick, coerce, manipulate, or trap users into giving up their data or consenting to things that they otherwise wouldn’t. Dark patterns also fail several consent requirements.
Bundled consent: In many cases, modern consents list a panoply of data uses and actions and are offered on a take-it-or leave it basis. This is inconsistent with the requirements that consent be specific and freely given. For example, it's common for website and app owners to require users to agree, acknowledge, or consent to their entire privacy policy. Grindr was recently fined for this.
Consent by presence: Many apps and websites simply declare that users consent to their privacy policy (see "Bundled Consent" above for another problem with this approach). In the world of online contracts, this is sometimes called "browsewrap," and isn't a great way to form a contract. Remember, failure to read a contract isn't a defense, so constructive notice of the terms is sometimes enough. The requirements for consent are less flexible in this regard--remember, consent is supposed to be informed and knowing. Browsewrap consents are likely invalid.
Lopsided power and consent by demand: In many cases consent is sought by the party that has most or all of the power, or made a condition for access to goods or services. A common example is employmer-employee relations, where employees may have no realistic choice if they want to keep their jobs.
Failure to honor or permit revocation of consent. One of the requirements of consent is that it needs to be revocable. In many cases, revocation requests are ignored or made difficult to communicate in the first place.
Consent fatigue: In this informal experiment, Jena Kingsely demonstrates a well-documented phenomenon: People don’t read the things they sign. If they did, they’d need to take a month off from work, and our economy would crater. This phenomenon is called consent fatigue or consent desensitization. Additionally, consents and accompanying privacy policies are often long and complex. Even if people read them, they don’t understand them.
Confusing terminology: Many laws distinguish between types of consent. The GDPR has consent, which comes with a definition and a 723 word description, and multiple recitals to provide additional context and detail, and “explicit consent,” which is left undefined in the regulation, but gets about five pages in the Guidelines issued by the agency in charge of interpreting the GDPR. Similarly, the Telephone Consumer Protection Act, which limits those annoying robocalls and some other kinds of calls to mobile phones offers up “prior express consent,” which can oxymoronically be implied, and “prior express written consent.”
Lack of testing: Few who rely on consents test them for effectiveness. And in my experience, many commercial users actually hope consumers don’t understand them. I’ve been told more than once that “if they understand what we want to do, they won’t consent." In other cases, consents expand over time, on the pretense that adding length and complexity, and bundling additional consents, will have no impact on comprehension or freedom of choice. We already know that bundling consents often invalidates them, and we should know better than to assume that length and complexity have no impact.
Consent Alternatives
These challenges, have caused some scholars to reject consent, at least for privacy purposes completely, or mostly, replacing it with “contextual integrity,” suggesting that social norms for data use are derived from various contexts, or apply extensive legal guardrails to consent that we know is really fictional. Many legal regimes recognize that consent, in some cases is impractical or impossible despite legitimate reasons to allow use and disclosure anyways. For example, the GDPR recognizes that in some cases, the legitimate interest of the entity that wants to use the data may be sufficient to justify use without consent. And under the Health Insurance Portability and Accountability Act (HIPAA), an Institutional Review Board can grant researchers a waiver of consent where getting consent would be impractical. In fact, most privacy laws list multiple situations that permit use or disclosure of data without consent.
But the one alternative that's missing is, "because we want to," although legitimate interest sometimes comes close. As a result, inadequate and invalid consents persist. As do practices such as using data in ways that weren't contemplated when consent was given or failing to honor revocations and opt-outs. We still rely on consent and we still engage in consent theater.
Conclusion
Why? We can learn from an old joke told in the movie Annie Hall: “This guy goes to a psychiatrist and says, ‘Doc, my brother’s crazy! He thinks he’s a chicken!’ And the doctor says, ‘Well, why don’t you turn him in?’ And the guy says, ‘I would, but—I need the eggs.’ It’s the same with consent. It’s hard to get right, frequently flawed or fake, and yet we trick ourselves into believing it’s the real thing. Why not face facts? We need the data.