FULL ARTICLE TEXT
Article 7 in full
Article 7: Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
And from Article 4(11): "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Full text on EUR-Lex (CELEX 32016R0679, Article 7).
What valid consent requires
Article 4(11) and Article 7 together define what constitutes valid consent. Four cumulative elements: freely given, specific, informed, unambiguous. Each element has been the subject of substantial DPA and court interpretation. Freely given means the data subject has a genuine choice and is not coerced; this is the dimension at issue in the "refuse as easily as accept" cookie cases. Specific means consent is for an identified processing operation or operations, not for general or open-ended use; this is the dimension rejecting bundled consent. Informed means the data subject has the necessary information to understand what they are consenting to, satisfying Articles 12-14 transparency. Unambiguous means the consent must be expressed through a clear affirmative action; this is the dimension rejecting pre-ticked checkboxes (Planet49, C-673/17).
Additionally, Article 7(3) requires that withdrawal of consent be as easy as giving it. This is the parallel principle to the cookie-banner refusal principle in the ongoing-consent dimension. A controller cannot make withdrawal harder than giving consent (e.g. requiring postal mail to withdraw consent that was given by clicking a button).
The GDPR-ePrivacy interaction for cookies
Cookie placement and similar storage/access operations on a user's terminal equipment are governed by Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC). Article 5(3) requires user consent for such storage/access, with a narrow exception for cookies strictly necessary for the requested service. The Directive is implemented in each Member State through national law: Article 82 of the Loi Informatique et Libertés in France, the Privacy and Electronic Communications Regulations 2003 in the UK, the Telekommunikation-Telemedien-Datenschutz-Gesetz in Germany, and analogous frameworks in other Member States.
The substantive concept of consent under these national ePrivacy implementations is interpreted by reference to Article 4(11) GDPR. So cookie enforcement against a controller is typically formally framed as an Article 82 LIL (or equivalent) infringement, but the doctrinal analysis tracks GDPR consent principles. This is why the CNIL's cookie decisions cite EDPB guidance and CJEU case-law on consent even though they are formally not GDPR enforcement.
Landmark consent and cookie fines
Google €150 million (CNIL, 2022): the leading authority on the "refuse as easily as accept" standard. Established that asymmetric accept/refuse UX infringes the freely-given requirement.
Facebook Ireland €60 million (CNIL, 2022): parallel decision on the same legal theory applied to the facebook.com banner.
Microsoft €60 million (CNIL, 2022): extension to bing.com, confirming that the standard applies across major search providers.
Amazon Europe Core €35 million (CNIL, 2020): earlier cookie decision focused on cookie placement without prior consent.
Amazon €746 million (CNPD, 2021): although formally framed on Article 6 lawful-basis grounds, the substantive issue is consent-vs-other-basis for behavioural-advertising processing. The leading authority on the boundary between Article 6(1)(b) contract and Article 6(1)(a) consent for ad-tech.
IAB Europe TCF (APD, 2022): the leading authority on consent-framework architecture. Established that the TC String constitutes personal data and that IAB Europe is a joint controller for its processing.
Meta Ireland €390 million (DPC, January 2023): the EDPB-instructed decisions rejecting contract-as-basis for personalised advertising on Facebook and Instagram, definitively establishing consent as the required basis for behavioural ad-targeting.
Common compliance failures
The recurring patterns in cookie and consent enforcement are well-documented. Asymmetric accept/refuse UX on cookie banners (the principal CNIL pattern). Pre-ticked checkboxes (the Planet49 prohibition). Bundled consent covering multiple unrelated processing purposes without granular choice. Consent obtained as a pre-condition for receiving a service where the processing is not actually necessary for the service. Consent-withdrawal mechanisms that are materially harder than the consent-giving mechanism. Failure to record and demonstrate consent (the Article 7(1) accountability dimension). Reliance on contract or legitimate-interests for processing where consent is the correct basis (the Amazon CNPD and Meta EDPB pattern).
Defensive controls
For cookie banners specifically: deploy a CMP that offers "Accept all" and "Reject all" on the first screen with equivalent visual weight; do not place tracking cookies before consent; provide granular per-purpose controls in a settings screen; provide a persistent settings icon for ongoing consent management; record consent events with sufficient detail to demonstrate compliance (timestamp, banner version, choices made).
For non-cookie GDPR consent: distinguish processing where consent is the correct lawful basis from processing under other bases; for consent-required processing, use a clear and prominent consent collection UX; avoid bundling unrelated purposes; surface withdrawal mechanisms (e.g. a single-click unsubscribe link in every marketing email); record consent provenance and version.
For special-category data (Article 9(2)(a) explicit consent): require an affirmative action plus an additional confirming step (e.g. tick-box plus confirming statement) to satisfy the higher explicit-consent standard.
Fine band you can expect
For small national controllers with cookie-banner failures, AEPD-style decisions are typically in the €1,000-€50,000 range. For mid-sized national controllers, CNIL and equivalent decisions reach €50,000-€2 million depending on user reach and duration. For major platforms (Google, Meta, Microsoft, Amazon), cookie and consent fines have ranged €35M-€150M, with the upper end reflecting both the user-reach scale and the deliberate continuation of non-compliant patterns notwithstanding regulator engagement.