Consent as Legal Basis (Article 7) – Complete CIPP/E Exam Guide
Introduction: Why Consent as Legal Basis (Article 7) Matters
Consent is one of the six lawful bases for processing personal data under the General Data Protection Regulation (GDPR). Article 7 of the GDPR specifically sets out the conditions for valid consent, making it a cornerstone provision that data protection professionals must thoroughly understand. For anyone preparing for the CIPP/E (Certified Information Privacy Professional/Europe) exam, Article 7 is a high-priority topic because it intersects with numerous other GDPR provisions, including the rights of data subjects, special categories of data, direct marketing, and international data transfers.
Understanding Article 7 is critical because:
- Consent is frequently relied upon by organizations, yet it is one of the most challenging legal bases to implement correctly.
- Regulatory enforcement actions often focus on the validity of consent (e.g., CNIL's fine against Google, Italian DPA actions, and various EDPB guidance).
- Consent interacts with other legal frameworks such as the ePrivacy Directive (cookie consent), direct marketing rules, and sector-specific regulations.
- Exam questions on consent are common and often test nuanced understanding of conditions, withdrawal, burden of proof, and special situations.
What is Consent Under the GDPR?
Article 4(11) of the GDPR defines consent as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
This definition establishes four cumulative requirements that must all be met for consent to be valid:
1. Freely given – The data subject must have a genuine and free choice. Consent is not freely given if there is a clear imbalance of power between the controller and the data subject (e.g., employer-employee relationships, public authority-citizen relationships). It must also not be bundled as a non-negotiable condition of a service if the processing is not necessary for the performance of that service.
2. Specific – Consent must be given for one or more specific purposes. Blanket consent covering a wide range of unrelated processing activities is not valid. Each purpose must be clearly identified and separately consented to where appropriate.
3. Informed – The data subject must have sufficient information to make a meaningful decision. At minimum, this includes the identity of the controller, the purpose of each processing operation, the type of data collected, the right to withdraw consent, and, where applicable, information about automated decision-making and international transfers.
4. Unambiguous indication – Consent must be expressed through a clear affirmative action. Silence, pre-ticked boxes, or inactivity do not constitute valid consent (as confirmed by the CJEU in Planet49).
Article 7: Conditions for Consent – A Detailed Breakdown
Article 7 complements the definition in Article 4(11) by setting out operational requirements that controllers must follow when relying on consent:
Article 7(1) – Burden of Proof (Demonstrability)
"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."
Key points:
- The burden of proof rests squarely on the data controller.
- Controllers must maintain records of when and how consent was obtained, what information was provided to the data subject at the time, and which mechanism was used.
- This requirement means controllers should implement robust consent management systems that log timestamps, versions of consent forms, IP addresses (where applicable), and the specific wording presented to the data subject.
- If a controller cannot demonstrate that valid consent was obtained, the processing is unlawful, regardless of whether the data subject actually did consent.
Article 7(2) – Distinguishable Consent Requests
"If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language."
Key points:
- When consent is embedded within a broader document (such as terms and conditions or a contract), the consent clause must be clearly separated and distinguishable.
- The language used must be plain and understandable to the average person – legalese or overly technical language undermines the validity of consent.
- Any part of such a declaration that infringes the GDPR shall not be binding.
- This provision effectively prohibits burying consent requests deep within lengthy legal documents.
Article 7(3) – Right to Withdraw Consent
"The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."
Key points:
- Withdrawal must be possible at any time without detriment to the data subject.
- Withdrawal is not retroactive – processing that occurred before withdrawal remains lawful.
- Data subjects must be told before giving consent that they can later withdraw it.
- The mechanism for withdrawal must be as easy as the mechanism for giving consent. If consent is obtained via a single click online, withdrawal should be achievable through a similarly simple process – not by requiring the data subject to write a formal letter or call a telephone number.
- After withdrawal, the controller must cease processing based on that consent (though they may be able to continue on another lawful basis if applicable).
Article 7(4) – Conditionality (Anti-Bundling)
"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
Key points:
- This is the anti-bundling provision (also known as the conditionality test or coupling prohibition).
- A controller cannot make a service contingent upon consent to data processing that is not necessary for the delivery of that service.
- Example: A weather app that requires consent to share data with third-party advertisers as a condition of using the app would likely fail this test, since advertising data sharing is not necessary for providing weather information.
- This does not mean consent can never be bundled with a contract – it means that when it is, there is a strong presumption that consent was not freely given, and the controller bears the burden of proving otherwise.
Consent for Special Categories of Data (Article 9)
While Article 7 sets out general conditions for consent, Article 9(2)(a) requires explicit consent for the processing of special categories of personal data (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership, and genetic data).
Explicit consent requires an express and unequivocal statement of agreement – a higher threshold than the "unambiguous indication" required under Article 7. Examples include a signed written statement, filling in an electronic form, sending an email confirming consent, or using a two-stage verification process.
Consent for Children (Article 8)
Article 8 addresses consent in the context of information society services offered directly to a child. The GDPR sets the baseline age at 16, but Member States may lower it to no less than 13. Below the applicable age, consent must be given or authorized by the holder of parental responsibility. The controller must make reasonable efforts to verify parental consent, taking into account available technology.
How Consent Works in Practice
To implement consent properly, organizations should follow these steps:
1. Assess whether consent is the appropriate legal basis. Consider whether another lawful basis (legitimate interests, contractual necessity, legal obligation, etc.) might be more appropriate. Consent should not be the default choice – it should be used when the data subject genuinely has a choice and the other bases do not apply.
2. Design clear consent mechanisms. Use opt-in checkboxes (not pre-ticked), layered privacy notices, and granular consent options that allow data subjects to consent to specific purposes independently.
3. Provide comprehensive information. Before obtaining consent, inform data subjects about the controller's identity, the purposes of processing, the types of data involved, recipients of data, international transfers, the right to withdraw, and any automated decision-making.
4. Record and manage consent. Implement consent management platforms (CMPs) or equivalent systems that log when consent was given, what was consented to, what information was provided, and how consent was obtained.
5. Facilitate easy withdrawal. Provide accessible mechanisms (e.g., account settings, one-click unsubscribe links, preference dashboards) and ensure withdrawal is effective promptly.
6. Regularly review and refresh consent. Consent should be reviewed periodically to ensure it remains valid and that the processing has not evolved beyond the original scope. While the GDPR does not prescribe a specific expiration period, good practice suggests refreshing consent when purposes change or after a reasonable period.
Key Case Law and Regulatory Guidance
- Planet49 (CJEU, C-673/17, 2019): Pre-ticked checkboxes do not constitute valid consent. Active consent is required for cookies. This case confirmed that consent must be an active, affirmative action.
- Orange România (CJEU, C-61/19, 2020): Consent is not validly given where a contract is pre-filled with a consent checkbox that the customer must actively untick to refuse. The burden of proving valid consent lies with the controller.
- CNIL v. Google (2019): The CNIL fined Google €50 million for lack of transparency and valid consent for personalized advertising. Consent was not sufficiently informed, and it was not specific (bundled across multiple purposes).
- EDPB Guidelines 05/2020 on Consent: This comprehensive guidance document elaborates on all elements of valid consent, including the freely given requirement, granularity, the impact of power imbalances, and conditions for withdrawal. This is essential reading for CIPP/E candidates.
- Schrems cases: While primarily about international transfers, these cases reinforce the importance of genuine, informed, and free consent as a safeguard for data subjects.
Common Pitfalls and Misconceptions
- Consent is not always the best legal basis. Many organizations default to consent when legitimate interests or contractual necessity would be more appropriate and practical.
- Consent does not override other GDPR obligations. Even with consent, controllers must still comply with data minimization, purpose limitation, storage limitation, security requirements, and data subject rights.
- Implied consent is generally not valid under the GDPR. Continuing to use a service, scrolling through a website, or failing to opt out does not constitute valid consent.
- Consent obtained under the old Data Protection Directive (95/46/EC) may still be valid if it met the GDPR standard at the time it was obtained (Recital 171).
- Switching legal bases after consent is withdrawn is problematic. The EDPB has cautioned against retrospectively changing the legal basis from consent to legitimate interests after a data subject withdraws consent, as this would undermine the right of withdrawal.
Consent in the Context of the ePrivacy Directive
Article 5(3) of the ePrivacy Directive (as interpreted after Planet49) requires consent for the use of cookies and similar tracking technologies (with limited exceptions for strictly necessary cookies). This consent must meet the GDPR standard set out in Articles 4(11) and 7. Cookie consent banners and CMPs are practical implementations of this requirement.
Relationship Between Consent and Other GDPR Provisions
- Article 6(1)(a): Consent as a lawful basis for processing.
- Article 9(2)(a): Explicit consent for special categories of data.
- Article 8: Conditions for children's consent.
- Article 13/14: Transparency requirements that inform the consent process.
- Article 17(1)(b): Right to erasure when consent is withdrawn and there is no other legal ground.
- Article 20: Right to data portability applies when processing is based on consent (or contract) and carried out by automated means.
- Article 22: Explicit consent as a basis for automated individual decision-making, including profiling.
- Article 49(1)(a): Explicit consent as a derogation for international data transfers in the absence of an adequacy decision or appropriate safeguards.
- Recitals 32, 33, 42, 43: Provide further interpretive guidance on consent.
Summary Table: Elements of Valid Consent
| Element | Requirement |
Freely given → Genuine choice, no imbalance, no bundling
Specific → Granular, purpose-by-purpose consent
Informed → Full transparency before consent is given
Unambiguous → Clear affirmative action (no silence, no pre-ticked boxes)
Demonstrable → Controller can prove consent was obtained (Article 7(1))
Distinguishable → Separated from other matters in written declarations (Article 7(2))
Withdrawable → Easy to withdraw, as easy as giving consent (Article 7(3))
Unconditional → Not a condition for service not requiring that processing (Article 7(4))
Exam Tips: Answering Questions on Consent as Legal Basis (Article 7)
1. Know the four cumulative elements of consent by heart. "Freely given, specific, informed, and unambiguous" – these four words are your foundation. If a question describes a scenario, test each element systematically to determine whether consent is valid.
2. Distinguish between consent and explicit consent. The CIPP/E exam may test whether you know the difference. Regular consent requires an "unambiguous indication" via a clear affirmative action. Explicit consent (required under Articles 9, 22, and 49) demands an express, unequivocal statement. Be prepared to identify which level is required in a given scenario.
3. Watch for scenarios involving power imbalances. Questions about employer-employee relationships or public authority-citizen relationships are common. Remember that consent is generally not considered freely given in these contexts because the data subject may feel compelled to consent.
4. Remember the anti-bundling rule (Article 7(4)). If a question describes a scenario where a service is conditioned on consent to unrelated processing, this is a red flag. The consent is likely not freely given.
5. Focus on the burden of proof. Article 7(1) places the burden on the controller. If a question asks who must demonstrate consent was obtained, the answer is always the controller.
6. Withdrawal must be as easy as giving consent. If a scenario describes an easy sign-up process but a complex withdrawal process (e.g., requiring a phone call or written letter), this violates Article 7(3).
7. Withdrawal is not retroactive. Processing that occurred lawfully under consent before withdrawal remains lawful. This is a common exam trap – some answer choices may suggest that withdrawal invalidates all prior processing.
8. Pre-ticked boxes are never valid consent. If a question describes pre-ticked checkboxes or opt-out mechanisms presented as consent, these are invalid. Always look for active, affirmative opt-in.
9. Be alert to trick questions about switching legal bases. The EDPB discourages controllers from switching from consent to legitimate interests after consent is withdrawn. If an exam question presents this scenario, the likely correct answer is that this practice is problematic.
10. Remember Recital 32 on granularity. When processing has multiple purposes, consent should be given for each purpose separately. A single consent for multiple unrelated purposes is not specific enough.
11. Know the age thresholds for children's consent. The default is 16, but Member States may lower it to 13. The exam may test whether you know this range and the requirement for parental authorization below the threshold.
12. Link consent to data subject rights. When consent is withdrawn and there is no other legal basis, the data subject may exercise the right to erasure (Article 17). When processing is based on consent (or contract) and is automated, the right to data portability applies (Article 20).
13. Use process of elimination. If a question asks which legal basis is most appropriate and consent is one of the options, consider whether another basis (legitimate interests, contractual necessity) might be more suitable. Consent should not be the default – it should be used when it is genuinely the most appropriate basis.
14. Familiarize yourself with key cases. Planet49 (pre-ticked boxes), Orange România (pre-filled consent forms), and CNIL v. Google (insufficient transparency and specificity) are frequently tested. Know the core holdings and how they illustrate Article 7 requirements.
15. Read all answer options carefully. CIPP/E questions often include answer choices that are partially correct but contain a subtle error (e.g., stating that consent can be implied from continued use of a service). Look for the answer that most accurately reflects the GDPR text and EDPB guidance.
16. Practice scenario-based analysis. Many CIPP/E questions present real-world scenarios and ask you to identify violations or best practices. Practice walking through scenarios step-by-step: Is consent freely given? Is it specific? Is the data subject informed? Is there a clear affirmative action? Can the controller demonstrate it? Can it be withdrawn easily?
By mastering the text of Article 7, understanding its practical implications, and recognizing how it interrelates with other GDPR provisions, you will be well-prepared to tackle any CIPP/E exam question on consent as a legal basis.
