The General Data Protection Regulation (GDPR) stands as one of the most significant data protection frameworks in the world. At the heart of its provisions lies the concept of consent, which serves as one of the main legal bases for processing personal data under Article 6. Article 7 of the GDPR — Conditions for Consent — defines how consent must be obtained, managed, and proven by organizations.
This article explores the key aspects of Article 7 and provides practical, real-world examples to illustrate what compliant and non-compliant consent practices look like in everyday business scenarios.
Understanding Article 7 of GDPR
Article 7 outlines four essential conditions for valid consent:
- Demonstrating consent: The data controller must be able to prove that the data subject has given consent.
- Freely given consent: Consent must be given freely, without coercion, pressure, or consequences for refusal.
- Withdrawal of consent: It must be as easy to withdraw consent as it is to give it.
- Granularity and clarity: Consent must be specific, informed, and unambiguous — tied to a clear purpose.
In simple terms, companies cannot rely on vague, bundled, or pre-checked consent forms. They must give individuals a genuine choice.
1. Demonstrating Consent
One of the main challenges organizations face under Article 7 is proving that valid consent was obtained. It is not enough to claim that a user “probably agreed”; the company must keep records showing when, how, and for what purpose consent was given.
Example 1: Email Marketing Sign-Up
A retail company, StyleStreet, allows users to subscribe to its newsletter by ticking a checkbox during checkout. The company’s system logs the following data for each consent action:
- Timestamp of consent
- Version of the privacy policy presented
- User’s IP address
- Type of form used (website, mobile app, or in-store kiosk)
This record can later be used to prove that consent was indeed given voluntarily and specifically for marketing purposes.
Why this complies:
StyleStreet follows Article 7(1), which requires controllers to demonstrate that the data subject has consented. The recordkeeping proves both timing and scope of consent.
Non-compliant example:
Another company, ShopRight, automatically adds customers to its mailing list after they make a purchase, without explicit consent. Even if customers can later unsubscribe, there was never proof of an initial opt-in. This violates Article 7 because consent cannot be presumed from inaction or silence.
2. Freely Given Consent
Article 7(4) stresses that consent is not freely given if the data subject has no real choice or suffers a disadvantage for refusing. Consent must not be a condition for accessing a service unless the data processing is strictly necessary for that service.
Example 2: Access to Online Services
A video streaming platform, CineView, asks users to create an account to watch movies. During sign-up, it offers an optional checkbox:
“I agree to receive promotional offers and updates via email.”
If the user refuses, they can still create the account and watch movies. The marketing consent is separated from the service itself.
Why this complies:
CineView ensures consent is freely given. Users can enjoy the core service regardless of their marketing preferences. This follows Article 7(4), avoiding coercive or conditional consent.
Non-compliant example:
Another platform, FilmHouse, requires users to check the same marketing box before proceeding with registration. Without ticking it, they cannot use the service.
This setup invalidates consent because it ties the essential service to unrelated marketing consent — an example of “bundled consent,” which the GDPR prohibits.
3. Withdrawal of Consent Must Be Easy
Article 7(3) requires that individuals must be able to withdraw their consent “at any time” and that it must be “as easy to withdraw as to give consent.” This principle ensures users are not trapped into continuing to share data against their will.
Example 3: Email Unsubscribe Option
A travel agency, FlyNow, sends weekly newsletters to subscribers. Each email includes a clear, one-click “Unsubscribe” button at the bottom. When a user clicks it, the system automatically removes their address from the mailing list and sends a confirmation email.
Why this complies:
FlyNow’s process is transparent, quick, and user-friendly. It honors Article 7(3), ensuring that withdrawal is simple and effective.
Non-compliant example:
Another travel company, GlobeFlyer, requires users to log in, navigate through multiple settings, and fill out a form before unsubscribing. This makes the process burdensome, violating Article 7’s requirement for equal ease of withdrawal.
Best practice tip:
When designing systems, businesses should mirror the same simplicity in both giving and withdrawing consent. If consent is given with a single click, withdrawal should also take just one click.
4. Specific, Informed, and Unambiguous Consent
Article 7 is closely tied to Article 4(11) of the GDPR, which defines consent as a “freely given, specific, informed and unambiguous indication” of a data subject’s wishes. This means consent must be purpose-specific and clearly explained.
Example 4: Multiple Purposes Consent
An online retailer, EcoHome, asks users to consent separately to different data processing purposes:
- Checkbox 1: “I agree to receive marketing emails.”
- Checkbox 2: “I agree to personalized recommendations based on my purchase history.”
- Checkbox 3: “I agree to data sharing with partner companies.”
Each purpose is clearly explained, and users can choose any combination.
Why this complies:
EcoHome applies granular consent — separating marketing, profiling, and data-sharing activities. This ensures users are fully informed and can choose which purposes they agree to.
Non-compliant example:
A similar retailer, HomeDeals, presents a single checkbox saying:
“I agree to the use of my data for company purposes.”
This statement is vague and doesn’t specify what “company purposes” mean. Users cannot give informed consent, which violates the requirement for clarity and specificity.
5. Consent in Employment Relationships
The GDPR recognizes that the balance of power between employers and employees can make true consent difficult. Employers often process data for payroll, performance evaluation, or attendance tracking — purposes where consent is not freely given because employees fear repercussions if they refuse.
Example 5: Optional Employee Consent
A company, TechCore, asks its staff to consent to being featured on the company’s website with profile photos. The HR department explicitly informs employees that participation is optional and declining will have no negative impact.
Why this complies:
Consent is voluntary and unrelated to job performance. Employees have a genuine choice, satisfying the “freely given” condition of Article 7.
Non-compliant example:
Another company, BrightOffice, automatically publishes staff photos and bios online without asking. When employees complain, management claims consent is “implied by employment.” This violates Article 7 since the employer cannot prove consent and it was not freely given.
6. Consent for Minors
Article 7 interacts with Article 8 of the GDPR, which adds specific conditions for children’s consent in information society services. Parental authorization is required if the child is under the age set by national law (between 13 and 16 in most EU countries).
Example 6: Parental Consent in Online Education
An e-learning platform, LearnZone, allows students to sign up for online courses. When a user indicates they are under 16, the system prompts for a parent or guardian’s email to confirm consent before processing the registration.
Why this complies:
LearnZone verifies parental consent and keeps a record of it, complying with Article 7’s requirement to demonstrate consent and Article 8’s rule on minors.
Non-compliant example:
Another platform, EduPlay, only includes a checkbox saying “I am over 13.” No verification occurs, making the consent invalid if the user is a child. The company fails to demonstrate lawful consent as required by Article 7(1).
7. The Burden of Proof Lies on the Controller
A critical takeaway from Article 7(1) is that the burden of proof always lies on the data controller. It’s the company’s responsibility to show that consent was properly obtained, not the user’s responsibility to prove they didn’t give it.
Example 7: CRM Consent Records
A B2B software company, CloudSphere, uses a CRM system to store all user interactions, including consent forms. Each consent event is timestamped and linked to the corresponding version of the privacy notice.
If a user later complains, CloudSphere can retrieve the record showing when and how consent was given, demonstrating compliance with Article 7.
Non-compliant example:
A similar company, DataWorks, collects consent via web forms but doesn’t store any logs. Months later, when a regulator asks for proof, they can’t demonstrate that valid consent was obtained. The absence of documentation constitutes a violation.
8. Example of Consent Withdrawal in Practice
A fitness app, FitTrack, allows users to share location data for tracking runs. The consent is optional and can be turned off anytime via the app settings. When a user disables it, all historical location data is deleted within 24 hours.
Why this complies:
FitTrack demonstrates both transparency and technical readiness to honor consent withdrawal. This practical application fulfills Article 7(3) by ensuring the user’s choice is respected promptly and efficiently.
Non-compliant example:
A competitor, RunMaster, allows users to revoke consent, but the company continues to store and use location data “for analysis.” This is a clear violation since withdrawal should stop all processing for that purpose.
9. Transparency and Layered Consent Notices
Modern websites often use “layered” consent interfaces — short summaries with links to detailed explanations. This approach helps achieve informed consent without overwhelming users with long legal text.
Example 9: Cookie Consent Banner
A news website, DailyReport, displays a simple banner:
“We use cookies to improve your reading experience. You can choose which cookies to accept.”
It provides buttons like “Accept All,” “Reject All,” and “Customize,” with a link to detailed information about each cookie type.
Why this complies:
The design is clear, actionable, and gives users real control. It satisfies Article 7’s standard for unambiguous consent.
Non-compliant example:
Another site, InfoWorld, shows a banner saying, “By using this site, you accept cookies,” without options to refuse. Continued browsing counts as implied consent — an outdated practice that breaches GDPR requirements.
10. Real-World Lessons from Regulators
European Data Protection Authorities (DPAs) have enforced Article 7 violations in multiple cases. The common lesson is simple: transparency and user control are non-negotiable.
- The CNIL (France) fined several companies for pre-ticked checkboxes and unclear cookie banners.
- The ICO (UK) warned organizations that hiding withdrawal options violates the “easy to withdraw” rule.
- The EDPB (EU) confirmed that consent cannot be bundled with unrelated terms and conditions.
These rulings reinforce that compliance requires both proper technical measures and ethical handling of user choice.
Conclusion
Article 7 of the GDPR — Conditions for Consent — is not merely a legal formality; it embodies respect for personal autonomy. To comply, organizations must ensure consent is freely given, informed, specific, and demonstrable, and that withdrawal is just as simple as giving consent.
Through examples like newsletter sign-ups, cookie banners, and employee data collection, we can see that true compliance depends on transparency and fairness.