Explicit consent is permission given through a clear, affirmative statement or action: ticking an unchecked box, or clicking "Accept". Implied consent is assumed from behavior or circumstances rather than stated directly. The GDPR requires an affirmative act for cookies, so scrolling or continuing to browse a site never counts.
This guide breaks down that legal test, why scroll consent specifically fails, and one distinction most guides get wrong. Explicit consent and unambiguous consent are not the same bar.
Explicit vs Implied Consent: What's the Difference?
The two consent types differ in how permission is given, not in how a website uses it. Explicit consent comes from a statement or a deliberate action; implied consent is assumed from what someone does or where they are.
| Attribute | Explicit consent | Implied consent |
|---|---|---|
| How permission is given | An affirmative statement or a clear affirmative action (ticking a box, clicking Accept) | Inferred from behavior, inaction, or circumstance |
| Clarity and verifiability | Demonstrable; the controller can point to the exact action taken | Not verifiable; there is no discrete act to record |
| Typical examples | Signed form, "I agree" reply, unchecked box the user ticks | Continuing to browse, scrolling past a notice, rolling up a sleeve for a flu shot |
| GDPR status for cookies | Valid, and required for non-essential cookies | Not valid for cookies under any circumstance |
The axis underneath this table is the quality of the permission, not whether cookies are on by default. That second question, the default state before someone acts, is a separate distinction covered later.
One nuance trips up most guides: under GDPR, "explicit consent" is a stricter bar than the "unambiguous" consent ordinary cookies need. Both still rule out implied and scroll consent. The section on unambiguous consent below draws that line precisely.
What Is Explicit Consent?
Explicit consent is an express agreement confirmed in words, or an unmistakable affirmative action, tied to a specific purpose the person understands and gave freely. The UK's ICO states that explicit consent "must be expressly confirmed in words," and that consent inferred from someone's actions cannot be explicit.
What Makes Consent "Explicit" Under GDPR
GDPR Article 4(11) sets four conditions every valid consent must meet, and explicit consent satisfies them through a direct statement rather than an inferred action.
- Freely given: the person had a genuine choice, with no penalty for refusing
- Specific: the consent request names the exact purpose, not a bundle of purposes
- Informed: the person understood what they were agreeing to before agreeing
- Unambiguous: the request stands apart from general terms and conditions
Article 7 adds two operational requirements. The controller must demonstrate the person actively agreed, so you keep a record of consent. Withdrawing consent must also be as easy as giving it.
Examples of Explicit Consent
Each of these gives a data controller a discrete, recorded action to point to.
- An unchecked box the visitor deliberately ticks
- The visitor clicks Accept on a consent banner
- Typing or replying "I consent" to a confirmation email
- A signed consent form
- A double opt-in email confirmation
What Is Implied Consent?
Implied consent is permission inferred from a person's actions, inaction, or the surrounding circumstances rather than an express statement. It is common in offline and non-privacy contexts, but it generally fails to meet GDPR's standard for cookies.
How Implied Consent Is Inferred
A controller relying on implied consent points to conduct, not to a recorded action. Cornell's Legal Information Institute defines it as "the agreement given by a person's action(s)," as opposed to express consent given in explicit words. Rolling up a sleeve for a routine injection implies consent to the injection. Continuing to use a website after seeing a notice does not carry the same legal weight. The GDPR specifically requires an affirmative act, and conduct alone is not one.
Examples of Implied Consent (and Where It Still Applies)
Implied consent survives in a narrow set of contexts outside data privacy law.
- Routine healthcare procedures, such as a patient extending an arm for a blood draw
- Emergency medical care, where the patient cannot communicate and treatment cannot wait
- Driving and DUI laws, where operating a vehicle on public roads implies consent to chemical testing if an officer suspects impairment
- A narrow offline example the UK's ICO cites: leaving a business card in a prize draw box implies consent to that specific draw
None of these examples make implied consent valid for website cookies. For cookies and tracking, the GDPR requires an affirmative act every time.
Why Scroll Consent (and Other Implied Consent) Fails GDPR
Scrolling, continued browsing, and "keep using the site" are all forms of implied consent, and GDPR requires a clear affirmative act for non-essential cookies. None of them qualify.
Scrolling fails the affirmative-action test for three concrete reasons.
- It is not an affirmative act. The visitor did not perform any action directed at the consent request itself.
- It cannot be distinguished from ordinary site use. Someone scrolling to read an article looks identical with or without a banner.
- It cannot be withdrawn as easily as it was given. Article 7(3) demands equally easy withdrawal, and no action reverses a scroll.
The 2020 EDPB Ruling: Scrolling Is Not Consent
Before May 2020, some sites and even some national interpretations treated continued scrolling as an acceptable sign of consent. The European Data Protection Board closed that door in its Guidelines 05/2020 on consent. The guidance is blunt. Scrolling or swiping through a webpage "will not under any circumstances constitute valid consent under the GDPR."
The ruling also covered cookie walls. Blocking access until a visitor accepts cookies undermines "freely given" consent, since access becomes conditional on agreeing. Blocking non-essential cookies until the visitor acts, rather than blocking access altogether, is the core mechanic of consent management.
Cookie Walls, Pre-Ticked Boxes, and "By Using This Site You Agree"
None of the following collect valid consent under GDPR, and each fails for a different reason.
- Pre-ticked boxes. GDPR Recital 32 states plainly that "silence, pre-ticked boxes or inactivity should not constitute consent."
- Cookie walls. Blocking access until the visitor accepts cookies makes consent conditional, which breaks the "freely given" requirement.
- "By using this site you agree" notices. This browsewrap approach has no affirmative act attached to it at all.
- Consent inferred from continued browsing. Identical to the scroll problem: conduct is not a statement or an action.
Explicit vs Implied vs "Unambiguous": The GDPR Distinction Most Guides Get Wrong
Under GDPR, "explicit consent" is a higher bar than the "unambiguous consent" that ordinary cookies need, and most vendor guides use the two terms interchangeably.
Explicit consent, in the strict Article 9 sense, is reserved for high-risk processing only. That means special category data, international transfers without adequate safeguards, and solely automated decisions with significant effects.
Ordinary consent, including nearly all cookie and tracking consent, only needs to be "unambiguous... by a clear affirmative action" under Article 4(11). Both standards rule out implied or scroll consent, and neither one is satisfied by inaction.
| Standard | Legal basis | What it governs |
|---|---|---|
| Explicit consent (Article 9 sense) | GDPR Article 9(2)(a) | Special category data, international transfers, automated decisions |
| Unambiguous consent | GDPR Article 4(11) | Ordinary processing, including most cookies and trackers |
A cookie banner almost never needs to clear the stricter Article 9 bar. It does need a clear affirmative action every time, which is exactly what implied and scroll consent cannot provide.
How Explicit Consent Differs From Opt-In, Informed, and Express Consent
Four terms get confused constantly, and each sits on a different axis of the consent question.
| Term | Meaning | Axis it governs | How it differs from explicit consent |
|---|---|---|---|
| Express consent | Direct agreement stated in clear words | Same as explicit consent | Synonym; the terms are interchangeable |
| Opt-in consent | Nothing happens until the person acts | Default state before action | A separate axis: opt-in is the default, explicit describes the quality of the action itself |
| Informed consent | The person understood what they agreed to | Comprehension | One of the four GDPR conditions explicit consent must also meet, not a replacement for it |
| Implicit consent | Assumed from behavior, not stated | How permission is inferred | The opposite end of the quality axis from explicit consent |
Explicit and implied describe how clearly permission was given. Opt-in and opt-out describe the default state before someone acts. GDPR requires both, so the two axes work together, not against each other.
For the full comparison of defaults and jurisdiction rules, see opt-in vs opt-out consent, the model-choice question this page deliberately leaves for that guide.
When Does the Law Require Explicit Consent?
GDPR reserves the strict "explicit consent" standard for three situations where the risk to the person is highest. Article 9(2)(a) sets the special-category rule; separate provisions cover transfers and automated decisions.
- Special category data: health, biometric, genetic, racial or ethnic origin, political opinion, religious belief, or sexual orientation data
- International data transfers: moving data to a country without an adequacy decision or other legal safeguard
- Automated decision-making: a solely automated decision that produces a legal or similarly significant effect on the person
Standard analytics and marketing cookies do not usually trigger this stricter bar. They still need unambiguous consent through a clear affirmative action, so implied or scroll consent is never an option either way.
How Consently Collects Explicit, Affirmative Consent
Consently collects consent the way GDPR requires it. An accept or reject banner blocks non-essential cookies until the visitor chooses, and every choice gets logged as proof.
Consently is built so no implied or scroll consent is ever relied on. Non-essential cookies, scripts, and iframes stay blocked until a visitor takes a clear affirmative action, whether that is Accept, Reject, or a granular preference choice.
The customizable cookie consent banner ships with a GDPR opt-in template and a CCPA opt-out template. Each visitor sees the model their region requires, and every choice still starts from an explicit accept or reject. Every decision writes to a consent log, the demonstrable record Article 7 requires.
Consently also signals each visitor's choice automatically through what Google Consent Mode is, plus IAB TCF support for programmatic advertising partners. Teams that need the setup steps can set up Google Consent Mode directly from the dashboard.
Consently's auto-scan finds every cookie on a site before launch, so nothing loads ahead of consent by accident.
Start collecting compliant consent free, with a 14-day trial and no credit card required.
FAQs
What is the difference between explicit and implied consent?
Explicit consent is actively and affirmatively given, through a statement or a clear action. Implied consent is assumed from someone's behavior or the circumstances, with no direct statement at all.
Is implied consent legal under GDPR?
Generally no, for non-essential cookies and most other processing. GDPR requires a clear affirmative act, so implied consent does not meet that standard. It survives only in narrow offline and non-privacy contexts.
Is scrolling considered consent?
No. The European Data Protection Board confirmed in its 2020 Guidelines 05/2020 that scrolling or swiping never constitutes valid consent under GDPR, regardless of the circumstances.
Is cookie consent "explicit" consent under GDPR?
Usually it only needs to be "unambiguous" through a clear affirmative action, not the stricter Article 9 "explicit" bar reserved for sensitive data. Either standard rules out implied or scroll consent.
What is an example of explicit consent?
Ticking an unchecked box, clicking "Accept" on a banner, replying "I consent" by email, or signing a written statement: each one counts as explicit consent.
Does implied consent still exist anywhere?
Yes, outside data privacy law: routine and emergency healthcare, and driving or DUI implied consent laws. For website cookies under GDPR, implied consent does not apply.
Is "by using this website you agree" valid consent?
No. That notice is browsewrap with no affirmative act behind it. GDPR requires a deliberate opt-in, so a passive notice never creates valid consent.
What are the four types of consent?
The consent terms people most often compare are explicit, implied, informed, and opt-in consent. Explicit and implied describe how permission is given; informed and opt-in describe comprehension and the default state before someone acts.

