GDPR Article 7: Conditions for Valid Consent

In one sentence. GDPR Article 7 sets out four conditions that elevate consent (defined in Article 4(11)) to a valid lawful basis: (1) the controller must be able to demonstrate consent was given, (2) the consent request must be intelligible and clearly distinguishable from other matters, (3) the data subject must be able to withdraw consent as easily as they gave it, and (4) consent must be freely given — not bundled, not coerced, not a precondition for service.

Article 7 is what makes Article 6(1)(a) operational. Most CNIL sanctions for “invalid consent” actually cite Article 7 conditions: missing proof of consent, withdrawal mechanism harder than the opt-in, conditions of use bundled with marketing consent, or service access conditioned on consent.

For practical wording examples, see GDPR consent wording examples. For the broader lawful basis framework, GDPR Article 6 lawful basis guide.

Key takeaways

• Article 7 elevates consent from “any agreement” to demonstrable, distinguishable, withdrawable, and freely given consent.
• Burden of proof is on the controller — keep timestamped records of every consent.
• Withdrawal must be as easy as giving consent — same friction, same number of clicks.
• “Freely given” excludes bundled consent (terms + marketing in one box), employer-employee consent (power imbalance), and consent as precondition for service.
• Article 7 violations are sanctioned under Article 83(5) — up to 4% of global turnover.

1. Article 7 text

Article 7 — Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

2. Condition 1 — Demonstrability (Article 7(1))

The controller must keep proof of consent. The CNIL has repeatedly sanctioned controllers who couldn’t produce timestamped, identified consent records.

What “demonstrable” means in practice:

• Who consented (user ID, email, hash)
• When consent was given (timestamp)
• What they consented to (specific purpose + version of the consent text)
• How they consented (channel: web form, in-app, paper)

Storage: typically in a consent management platform (CMP) or in your own consent table. The consent log must persist as long as the consent is in effect.

Common failure: a CRM checkbox saying “marketing OK” with no record of when or what version of the privacy notice was shown.

3. Condition 2 — Intelligible and distinguishable (Article 7(2))

The consent request must be:

• Clearly distinguishable from other matters (terms of service, contract clauses)
• Intelligible — a typical user understands what they’re agreeing to
• Easily accessible — not buried, not requiring expansion of multiple links
• Clear and plain language — no legalese

The CJEU in Planet49 (Case C-673/17, October 2019) invalidated pre-ticked consent boxes specifically on Article 7(2) grounds — pre-ticked equals not clearly distinguishable.

Common failures:

• “I accept the terms and conditions and consent to marketing” → bundling
• Single checkbox covering 5 different processing purposes → not specific
• Consent notice in 8pt grey font at the bottom of a form → not accessible
• “By clicking Subscribe you accept the terms” → not clearly distinguishable

4. Condition 3 — Withdrawal as easy as giving consent (Article 7(3))

This is the condition most often violated. If the user can opt in with one click on a banner, opting out must also be one click — not “send an email to dpo@…, wait for confirmation, then we’ll process within 30 days.”

Compliant withdrawal mechanisms:

• One-click unsubscribe link in every marketing email
• “Cookie preferences” link in footer that re-opens the CMP banner
• “Disable” toggle in account settings, takes effect within 24h
• Identity-verified portal action

Non-compliant withdrawal mechanisms (sanctioned by CNIL):

• Postal mail required to withdraw email marketing consent
• Phone call to a paid customer service line
• Account deletion as the only way to opt out of optional processing
• Withdrawal that takes 30+ days to take effect

The user must also be informed before consent that withdrawal is possible and how. Hidden withdrawal mechanisms invalidate the original consent.

5. Condition 4 — Freely given (Article 7(4))

Consent is not freely given if:

• Service is conditional on consent to processing not necessary for that service. Example: a free email app that requires consent to behavioral advertising — not free if you can’t use the email otherwise.
• Power imbalance exists — typically employer-employee. The EDPB has stated that consent in an employment context is almost never valid, except for genuinely optional perks with no consequence on refusal.
• Multiple purposes are bundled — one consent for “improve our service AND share with partners AND advertise to you” is invalid.
• Detrimental consequences flow from refusal beyond the strict service impact.

Cookie walls: the EDPB and CNIL have a nuanced position. A cookie wall is not automatically invalid if a paid alternative is offered at a reasonable price, but the CNIL has sanctioned several “cookie wall” implementations where the alternative was punitive (€10/month for what was previously free).

6. Enforcement landscape

Year	Sanction	Article 7 violation cited
2019	Google (CNIL) — €50M	Inadequate consent for personalized ads (intelligibility, specificity)
2020	TIM SpA (Garante) — €27.8M	Marketing consent without valid base
2021	WhatsApp Ireland (DPC, EDPB) — €225M	Transparency on consent
2022	Discord (CNIL) — €800K	Insufficient retention period info, breaches
2023	Meta Platforms Ireland (DPC) — €390M	Lawful basis on behavioral ads (Articles 6/7 interaction)
2024-2025	21 CNIL cookie sanctions	Withdrawal asymmetry, bundling, dark patterns

The pattern: Article 7 violations are not technical infractions — they’re systemic design choices that the CNIL identifies on first inspection.

7. Implementation checklist

• ☐ Consent recorded with: user ID, timestamp, purpose, version of the privacy notice
• ☐ Consent UI distinguishes the consent request from terms of service
• ☐ One purpose = one consent (no bundling)
• ☐ Pre-ticked boxes removed everywhere
• ☐ Withdrawal mechanism documented and tested (it works in <24h)
• ☐ User informed of withdrawal mechanism before consenting
• ☐ Service access not conditioned on optional consent
• ☐ Employer-employee consent reviewed by DPO (rarely valid)
• ☐ Cookie wall (if used) has a reasonable paid alternative
• ☐ Consent records retained as long as consent is active + reasonable evidence period after withdrawal

8. Article 7 vs Article 4(11): definition vs conditions

Article 4(11) defines consent: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement.”

Article 7 sets the operational conditions to keep that consent valid over time. The two work together — Article 4(11) tells you what consent is; Article 7 tells you what to do to preserve it.

9. Tooling

For CMPs that automate Article 7 conditions: Axeptio, Didomi, OneTrust, Cookiebot, Tarteaucitron (free).

For broader consent management integrated with the ROPA: Legiscope maintains a consent log per user, alerts on bundled consents detected in collection forms, and audits cookie banners against CNIL criteria.

For related guides: GDPR consent wording examples, GDPR Article 6 lawful basis, opt-in opt-out guide, bandeau cookies CNIL (FR).

Conclusion

Article 7 is the operational discipline behind consent. The four conditions — demonstrability, intelligibility, withdrawability, freedom — read short but each requires a system: a consent log, a UI design, a withdrawal flow, and an architectural choice not to bundle. Most CNIL cookie sanctions of 2024-2025 are Article 7 violations dressed as “cookie problems.”

FAQ

What is GDPR Article 7?

Article 7 sets four conditions for consent to be valid as a lawful basis: it must be demonstrable, intelligible and clearly distinguishable, withdrawable as easily as given, and freely given.

Does Article 7 apply to all consent under GDPR?

Yes — whenever consent is invoked as the lawful basis under Article 6(1)(a) or as the explicit consent condition under Article 9(2)(a), Article 7 conditions apply.

Can I require consent to use my service?

Only if the consent covers processing strictly necessary for the service. Conditioning service on consent to optional processing (analytics, marketing, profiling) violates Article 7(4) — consent isn’t “freely given” in that scenario.

How long must I keep consent records?

For the duration of the consent + a reasonable evidence retention period after withdrawal. CNIL practice suggests 24-36 months after withdrawal as a defensible default for marketing consent.

Can employees give valid consent?

The EDPB has stated that consent in an employer-employee relationship is almost never valid because of the power imbalance. Exceptions: genuinely optional perks with no consequence whatsoever for refusal (and even then, the burden of proof is high).