What is the difference between the "unambiguous" consent and the "explicit" consent required in the GDPR to process personal data?
While it’s certainly true that the GDPR says “Silence, pre-ticked boxes or inactivity should not … constitute consent”, it’s worth noting that it also says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data”.
Consider for example the patient who walks into a doctor’s office and tells the doctor all about the medical ailment from which he or she is suffering, while the doctor enters notes into his computer system. Or the person who drops their car off at the mechanic and gives their phone number so the mechanic can call them once their car is ready. In neither case can it be said that the individual gave their explicit consent - at no point did they explicitly tick, sign or say anything indicating “I agree to the processing of my personal data by X for the purposes of Y and Z”. And yet, in both cases, it’s hard to deny that consent has been given through “an affirmative act” by means of a “statement or conduct which clearly indicates in this context the data subject’s acceptance”.
Put another way, their consent is unambiguous and implied, but not explicit.