Conditions for consent

General Data Protection Regulation · UE 2016/679

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Article 7 is the Achilles heel of websites and apps: proof of consent is missing, the cookie banner is misleading, or the 'reject all' button is buried behind three clicks. The CNIL and CNPD regularly sanction dark patterns, lack of granularity (a single button for 47 purposes) and the practical impossibility of withdrawing consent as easily as giving it. The EDPB (guidelines 05/2020) requires timestamped, individual and reproducible proof for every consent collected.

The 4 pitfalls that bring down 90% of cookie banners

No opposable proof: you know the user clicked, but you cannot reproduce the exact screen they saw, nor the signed timestamp, nor the banner version active that day.
Accept/reject asymmetry: 'Accept all' in one click, 'Reject' requires drilling into a submenu. The CNIL considers this non-free consent.
Bundled consent: a single checkbox covering newsletter, analytics cookies and commercial prospecting. Article 7(2) demands clear separation of purposes.
Withdrawal impossible or hidden: no permanent 'manage my cookies' link in the footer, no one-click unsubscribe mechanism.

The 'freely given' test: the key argument before the CNPD

Article 7(4) requires you to demonstrate that no imbalance vitiated the consent. In employer-employee, patient-hospital or government-citizen contexts, consent is presumed not freely given. Systematically document the alternative legal basis (legitimate interest, legal obligation, public interest mission) rather than relying on fragile consent.

How Luxgap automates this risk

Our Luxgap Consent Proof Vault makes losing proof impossible: every consent interaction on your sites, apps and forms is captured, cryptographically signed and sealed in a timestamped vault opposable to the CNPD. A lightweight JS snippet (under 8 KB, no third-party cookies) instruments your existing banner or replaces it entirely, capturing in real time the exact screen seen by the user, their granular choices and the active Consent Management Platform version.

Captures each consent with a SHA-256 hash of the rendered page, truncated IP, user-agent and RFC 3161 timestamp signed by an eIDAS-qualified certification authority.
Automatically detects dark patterns on your pages via an AI crawler that simulates an average visitor and scores the accept/reject balance against the CNIL 2020 grid.
Continuously scans your public sites to identify Meta, Google Analytics or LinkedIn Insight pixels loaded before consent, and alerts via Teams or Slack in under 5 minutes.
Generates a per-user consent log, exportable on article 15 access requests or during a CNPD audit.
Produces a timestamped PDF report, cryptographically sealed, demonstrating article 7(1) compliance over any rolling period in the last 5 years.
Verifies that the withdrawal mechanism is as accessible as the collection mechanism, by testing path symmetry via a monthly AI agent.

Available as part of a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your live sites, with a free 48-hour scan to detect pixels loaded before consent and measure your exposure before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Conditions for consent

They trust us

Before we chat