Consent withdrawal is one of the most consistently misunderstood areas of GDPR. When a user withdraws their consent, businesses often panic — assuming they must immediately delete every record they hold. That assumption is wrong. Sometimes. And that "sometimes" is doing a lot of work.
This guide cuts through the confusion: what Article 7(3) actually requires, what withdrawal means for data already collected, whether you can switch legal bases afterwards, and how consent withdrawal intersects with cookies, email marketing, and the right to erasure.
What Article 7(3) Actually Says
Article 7(3) of the GDPR contains two rules that businesses frequently overlook:
Rule 1: The data subject has the right to withdraw consent at any time.
This is not a "nice to have." It is a fundamental feature of what makes consent valid under GDPR. If consent cannot be withdrawn, it was never valid consent in the first place.
Rule 2: Withdrawing consent must be as easy as giving it.
This is the rule most businesses violate. If a user ticked a box to give consent, they must be able to un-tick a box to withdraw it. If they clicked a single "Accept" button, withdrawal cannot require a six-step support ticket process. The GDPR does not require withdrawal to be instantaneous, but it must not be significantly harder than the original consent mechanism.
Rule 3: Withdrawal does not affect the lawfulness of processing before the withdrawal.
This is the part businesses miss. If you collected and processed data under a valid consent, that processing was lawful at the time it happened. Withdrawal changes what you can do going forward — it does not retroactively make past processing unlawful.
Withdrawal vs. Erasure: A Critical Distinction
These are two separate rights, and conflating them causes significant compliance errors.
Withdrawal of consent (Article 7(3)) means: "I no longer permit you to process my data under the consent basis."
Right to erasure (Article 17) means: "I want you to delete my data."
These can overlap — and often do — but they are not the same thing. When a user withdraws consent:
- You must stop the processing that was based on that consent
- You do not automatically have to delete all data unless they separately exercise their right to erasure
- Data that was legitimately collected under consent and is still needed for a different lawful purpose can be retained — but only for that purpose
Example: A user gave consent to receive your newsletter. They withdraw consent. You must stop sending marketing emails. But if you also have a lawful basis to retain their purchase records under contract performance (Article 6(1)(b)), those records do not need to be erased simply because marketing consent was withdrawn.
The right to erasure has its own conditions, exceptions, and legal analysis. It does not automatically follow from withdrawal.
What Happens to Data Already Collected?
Here is the rule that resolves the most confusion: data collected under valid consent was lawfully processed at the time of collection. Withdrawal does not retroactively change that.
If you sent someone ten marketing emails between January and October, and they withdraw consent in November, you do not need to "un-send" those emails. The processing was lawful when it occurred. Withdrawal only governs what you do from the moment of withdrawal onwards.
What you must do after withdrawal:
- Stop the specific processing activity that was based on the withdrawn consent
- Update your records to record the withdrawal and the date
- Ensure the user is not processed for that purpose again
- Delete data that you have no other lawful basis to retain
What you do not need to do:
- Delete records of past interactions that were lawfully processed
- Erase data you hold under a different lawful basis
- Treat the past processing as unlawful
This is why keeping clear records of your lawful bases matters. If you cannot identify why you hold each category of data and what legal basis supports it, you cannot respond properly to withdrawal.
Can You Switch to a Different Lawful Basis After Withdrawal?
This is a trap. The answer is no — not if that basis did not apply at the time of collection.
A common attempted workaround: user withdraws consent, company says "fine, we'll just switch to legitimate interests." The ICO and other supervisory authorities are explicit: you cannot switch to a different lawful basis retrospectively to circumvent a withdrawal of consent.
GDPR Recital 32 and the purpose limitation principle (Article 5(1)(b)) require that the lawful basis is identified and documented before processing begins. You cannot choose your basis on the fly after someone objects to the one you originally relied on.
The exception: if you genuinely had a separate, independent basis that applied from the beginning and that you documented at the time — you can continue processing under that basis. But you must not process for the same purpose under the consent basis, and you should be transparent with the data subject about what basis you are relying on.
Email Unsubscribes as Consent Withdrawal
Every email unsubscribe is a withdrawal of consent to receive marketing communications.
This means:
- You must action the unsubscribe promptly (the ICO and regulators expect this within 10 working days at most; many expect faster)
- You must update your marketing suppression list
- You must not re-add the person to marketing lists without fresh, valid consent
- You can retain their email address on a suppression list to ensure you do not accidentally re-market to them — this is not a violation, it is a compliance measure
Where businesses go wrong: treating unsubscribes as a list management issue rather than a legal rights issue. The person has exercised a right under Article 7(3). Document it. Honour it. Do not treat "unsubscribed" and "consented" as states that can flip back and forth without the user's knowledge.
CAN-SPAM and PECMA users, note: UK and EU PECMA rules apply to marketing emails alongside GDPR. The requirements overlap but are separate. Compliance with one does not guarantee compliance with the other.
Cookie Consent Withdrawal
Cookie consent is a specific, common implementation of Article 7(3) requirements. Cookie Consent Management Platforms (CMPs) are built precisely to make withdrawal as easy as giving consent.
Under a compliant CMP:
- The cookie banner allows users to accept or reject categories of cookies
- A preference centre or icon allows users to change their consent settings at any time
- Changing to "reject" triggers the CMP to stop loading the relevant third-party scripts
- The new preference is recorded and respected on subsequent visits
What happens to data already collected by third-party cookies? The same rule applies: it was lawfully collected under the prior consent. Your CMP can stop sending new data to Google Analytics or Facebook Pixel, but it cannot reach back and delete what was already collected by those third parties. For that, the user would need to exercise rights directly with those controllers — or exercise the right to erasure with you, which you would then pass to relevant processors.
Important: A consent signal sent via IAB TCF or a similar framework only covers the consenting party as controller. If you use third-party advertising networks, their processing of data they have independently collected about the user is governed by their own privacy policies and is outside your direct control.
Want to check whether your cookie consent implementation is actually working correctly? Run a free scan at Custodia and see exactly which trackers are loading and whether your consent controls are functioning as intended.
Partial Withdrawal: Withdrawing Consent for Specific Categories
GDPR does not require users to withdraw consent for everything at once. A user can withdraw consent for one purpose while maintaining it for another.
Example: A user consents to:
- Marketing emails (consent)
- Personalised ad tracking (consent)
They can withdraw consent for ad tracking while keeping marketing email consent active. Your systems must support this granularity if you obtained consent on a granular basis — which GDPR requires for different purposes.
This is where consent records matter. If you only recorded a single binary "yes" without documenting which specific purposes the user consented to, you cannot properly handle partial withdrawals.
A CMP that captures consent by category (functional, analytics, marketing) supports partial withdrawal natively. An email unsubscribe process that only offers "unsubscribe from all" does not support partial withdrawal — which may be a compliance gap if you send different categories of email.
Withdrawal of Consent vs. Objection to Legitimate Interests
These are frequently confused but operate under completely different rules.
Withdrawal of consent (Article 7(3)): Applies when you process under consent (Article 6(1)(a)). Withdrawal is an absolute right — you must stop processing under the consent basis. No balance of interests, no override.
Objection to legitimate interests (Article 21): Applies when you process under legitimate interests (Article 6(1)(f)). When a data subject objects, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms. It is not automatic — you must conduct a balancing exercise.
The practical consequence: if you rely on legitimate interests for processing, an objection from the data subject requires you to assess whether your grounds are compelling enough to override their objection. You may be able to continue processing in some circumstances. If you rely on consent, there is no such assessment. Withdrawal ends that basis.
This is one reason why the choice of lawful basis matters so much at the outset. Legitimate interests offers more resilience to objections (though it has its own documentation and balancing requirements). Consent offers more user control but creates operational obligations when withdrawn.
The Practical Compliance Checklist
When handling consent withdrawal, you need:
A withdrawal mechanism that is as easy as consent:
- Cookie preferences accessible from every page (not buried in a footer link three clicks deep)
- Unsubscribe links in every marketing email that work with a single click
- Account settings that allow consent to be modified without contacting support
A process for actioning withdrawals:
- Promptly update your consent records
- Stop the specific processing that relied on that consent
- Check what data you hold and whether any other lawful basis supports retention
- If no other basis exists, delete or anonymise
Documentation:
- Record the withdrawal with a timestamp
- Record what processing was stopped and when
- Document the lawful basis for any data you continue to hold
- If a data subject subsequently requests erasure, you have a clear picture of what you hold and why
Suppression lists:
- Email marketing: retain the email address on a suppression list to prevent re-subscription
- Cookie consent: retain the rejection preference in a cookie so it is respected on return visits (note: storing a rejection preference is generally covered under the "strictly necessary" exception and does not require additional consent)
Frequently Asked Questions
Must I respond to a withdrawal request within a specific timeframe?
GDPR does not set a specific response time for withdrawal the way it does for DSARs (30 days). However, you must act "without delay" — supervisory authorities interpret this as prompt, not leisurely. For email unsubscribes, prompt means within a few days at most. For cookie withdrawals, it should be immediate or near-immediate.
Can I ask someone why they are withdrawing consent?
You can ask, but you cannot make withdrawal conditional on providing a reason. A user who declines to explain must still have their withdrawal actioned.
If a user withdraws and then re-consents, do I need a new consent record?
Yes. Each consent must be separately recorded. The old withdrawal record should be retained, and the new consent should be recorded alongside it with a timestamp. This protects you in the event of a dispute.
Does withdrawal affect data held by processors I have engaged?
Yes. You must instruct your data processors to stop the relevant processing and, where appropriate, delete data they hold on your behalf. Your Data Processing Agreements should specify how withdrawal instructions are handled.
Check Your Website's Consent Mechanisms
Many compliance gaps around consent withdrawal are visible on the website itself — cookie banners that do not have a withdrawal option, consent preferences that do not persist, or trackers that load before consent is given.
Scan your website free at Custodia and get a report of what your site is actually doing with visitor data. No signup required. Results in 60 seconds. Understanding your current position is the first step to handling consent withdrawal correctly.
This guide provides general information about GDPR consent withdrawal requirements under Article 7(3). It does not constitute legal advice. Requirements may vary based on jurisdiction, the nature of processing activities, and individual circumstances. For advice specific to your situation, consult a qualified privacy or legal professional.
Top comments (0)