Library / Glossary

Withdrawal of Consent

A data subject's right to revoke a previously given consent at any time, with no effect on the lawfulness of processing prior to withdrawal.

GDPR Article 7(3) gives every data subject the right to withdraw consent at any time, and it must be as easy to withdraw as it was to give. The withdrawal does not affect the lawfulness of processing that happened before — but from the moment of withdrawal, the controller no longer has a lawful basis (assuming consent was the only basis) and must stop the processing.

What "as easy to withdraw" means in practice

The European Data Protection Board has been clear:

  • A consent given by a single click cannot require a phone call, an email, or a written letter to withdraw.
  • The withdrawal mechanism must be in the same medium as the original consent, where feasible.
  • Hidden withdrawal links in privacy policy footers don't satisfy the standard.
  • Charging a fee for withdrawal is not permitted.

The propagation problem

Withdrawal is where vendor monitoring and incident response intersect. When a data subject withdraws consent for marketing emails:

  1. The controller's marketing platform has to stop sending.
  2. Every vendor with a copy of the data subject's contact details has to stop using it for the withdrawn purpose.
  3. CRM syncs, audience-export integrations, and lookalike-modelling features have to be reviewed — the data subject's profile may have been replicated to third parties whose own opt-out lists must be updated.
  4. Backups and analytics aggregates may continue to contain the data; the controller has to ensure withdrawal stops future processing without retroactively breaking systems.

A vendor that doesn't expose a real-time API or webhook to receive consent withdrawals is making this propagation problem harder. A vendor that maintains its own marketing-suppression list separate from the controller's is making it worse.

Withdrawal vs. erasure

Withdrawal of consent stops processing going forward. It is not the same as exercising the right to erasure. A data subject who withdraws consent for marketing has stopped that specific processing, but the controller may still hold the underlying record (for example, on a contract basis for an active subscription). A separate erasure request is needed if the data subject wants the record deleted.

Related terms