The European Union’s General Data Protection Regulation (GDPR) has been described as a “gold standard” for protecting personal privacy in the Internet age. Among its core principles is a requirement for the consent of individuals to the collection and processing of their personal data. Consent must be freely given, specific, informed, and unambiguous. Based on the language of the GDPR and an extensive literature review, I argue here that the possibility of such consent is undermined by increasingly ubiquitous Internet of Things (IoT) devices which collect a vast array of personal data, and the use of automated data processing that can produce significant social and legal impacts on individuals and groups. I outline the requirements of consent under the GDPR, and describe the challenges to the GDPR’s privacy protection principles in a world of rapidly evolving IoT technologies.