October 1, 2022

Volume XII, Number 274

Advertisement

September 30, 2022

Subscribe to Latest Legal News and Analysis

September 29, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Do People Always Have the Right to Withdraw Consent?

Modern privacy laws contain different definitions for the term “consent,” and different standards for when consent will, and will not, be effective.

In Europe, the right of an individual to withdraw consent for the processing of their personal data has become near axiomatic and is often referred to by Member State supervisory authorities. The right to withdraw consent originates from the text of the General Data Protection Regulation (GDPR) itself as noted by the European Data Protection Board (EDPB):

“. . . the inclusion of specific provisions and recitals on the withdrawal of consent [within the GDPR] confirms that consent should be a reversible decision and that there means a degree of control on the side of the data subject.”[1]

The “specific provision” referred to above is Article 7 of the GDPR, which expressly states that a “data subject shall have the right to withdraw his or her consent at any time.” However, this right exists only where the processing itself is based on consent. Under the GDPR, all processing of personal data must be based on one of six legal bases identified in Article 6, one of which is consent. If a controller is processing personal data based on one of the other five bases, then the individual would not necessarily have the right to withdraw consent. The individual would still have various data subject rights set forth in the GDPR, including the right to object to processing and right to request deletion, but those concepts are slightly different from the right to withdraw consent.

In comparison, modern U.S. data privacy statutes such as the CCPA, CPRA, VCDPA, and CPA do not provide a statutorily conferred right to withdraw consent. While it is possible that courts in those jurisdictions could interpret the privacy statutes as implying such a right, American courts typically follow the doctrine of casus omissus pro omisso habendus est [a matter not covered is to be treated as not covered], under which new rights, or new obligations – such as a right to withdraw consent – that are not discussed within the text of the statute will not be judicially conferred. As a result, courts may interpret the term “consent” using their plain and ordinary meaning typically found within common-usage English dictionaries; not by reference to interpretations of foreign statutes, such as the GDPR, which contain language not found within the American counterparts.


[1] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 (Adopted on 4 May 2020) at para. 10.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 32
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement