Implied consent sits at the center of one of the most common compliance mistakes online: assuming that silence, inaction, or continued use counts as a "yes." Under today's privacy regulations, it usually doesn't.
What is implied consent?
Implied consent is consent that is not directly expressed but is reasonably assumed from a person's actions. Classic examples include a visitor scrolling past a cookie banner, continuing to use a site after a notice appears, or providing data to complete a transaction. The permission is inferred — the user never actively agreed.
This contrasts with explicit consent, where the user takes a clear, affirmative action such as ticking an unticked box or clicking "Accept."
Is implied consent legal under GDPR and CCPA?
Under the EU GDPR, implied consent is not valid for non-essential cookies or personal data processing. GDPR Article 4(11) requires consent to be a "freely given, specific, informed and unambiguous indication" shown through "a clear affirmative action." Pre-ticked boxes, scrolling, and continued browsing fail this standard (confirmed by the Planet49 ruling, CJEU, 2019).
Under California's CCPA/CPRA, the model is different: businesses can process data until a consumer opts out, so a form of implied permission operates for many activities, but selling or sharing data, and processing sensitive data, trigger stricter opt-out and opt-in rules.
| Framework |
Does it accept implied consent? |
| GDPR (EU/UK) |
No — explicit opt-in required for non-essential processing |
| ePrivacy Directive |
No — affirmative action required before non-essential cookies |
| CCPA / CPRA (California) |
Partially — opt-out model, but opt-in for sensitive data and minors |
| PIPEDA (Canada) |
Limited — implied consent allowed only for non-sensitive data and reasonable expectations |
Implied consent and cookie banners
The shift away from implied consent is why "by continuing to browse, you accept cookies" banners are now non-compliant in the EU. A compliant banner must block non-essential cookies until the user makes an affirmative choice.
A consent management platform (CMP), like Enzuzo, handles this automatically. Enzuzo blocks non-essential tags until a user actively consents and records that choice as auditable proof; so you rely on valid, explicit consent instead of legally risky implied consent.
Frequently asked questions
Is continuing to browse a website implied consent?
It can be treated as implied consent in some jurisdictions, but not in the EU or UK. Under GDPR and the ePrivacy Directive, continued browsing is not a valid signal of consent for non-essential cookies — an affirmative opt-in is required.
What is the difference between implied and explicit consent?
Implied consent is inferred from behavior; explicit consent is given through a clear, affirmative action like clicking "Accept." GDPR requires explicit consent for non-essential data processing.
Is implied consent ever acceptable? Yes; for strictly necessary activities and, under laws like Canada's PIPEDA, for non-sensitive data where use matches a person's reasonable expectations.
Move from implied to provable consent
Relying on implied consent exposes you to fines and invalidates your tracking data. See how Enzuzo's cookie consent solution captures valid, auditable consent
