Consent is one of six lawful bases for processing personal data under the GDPR, and the most heavily regulated. Valid consent must be freely given (no coercion, no consequence for refusal), specific (tied to a particular purpose, not a blanket "we may use your data"), informed (the user understands what they are agreeing to), and unambiguous (a positive act, not silence or pre-ticked boxes).
Consent must also be as easy to withdraw as to give. A site that requires three banners to opt in but a customer-support ticket to opt out fails this test. The withdrawal of consent does not invalidate prior processing, but it does halt future processing under that basis.
For most operational decisions — fulfilling a contract, complying with law, legitimate business interests — consent is the wrong lawful basis. It is appropriate for marketing, cookies and trackers, processing of special category data, and other genuinely optional uses. Treating consent as the default basis for everything leads to a brittle compliance posture: the moment a user withdraws, the processing has to stop. A consent management platform (CMP) is the system that captures, stores, and signals these decisions across an organization's downstream tools.