Do People Always Have the Right to Withdraw Consent?
Modern privacy laws contain different definitions for the term “consent,” and different standards for when consent will, and will not, be effective.
In Europe, the right of an individual to withdraw consent for the processing of their personal data has become near axiomatic and is often referred to by Member State supervisory authorities. The right to withdraw consent originates from the text of the General Data Protection Regulation (GDPR) itself as noted by the European Data Protection Board (EDPB):
“. . . the inclusion of specific provisions and recitals on the withdrawal of consent [within the GDPR] confirms that consent should be a reversible decision and that there means a degree of control on the side of the data subject.”
The “specific provision” referred to above is Article 7 of the GDPR, which expressly states that a “data subject shall have the right to withdraw his or her consent at any time.” However, this right exists only where the processing itself is based on consent. Under the GDPR, all processing of personal data must be based on one of six legal bases identified in Article 6, one of which is consent. If a controller is processing personal data based on one of the other five bases, then the individual would not necessarily have the right to withdraw consent. The individual would still have various data subject rights set forth in the GDPR, including the right to object to processing and right to request deletion, but those concepts are slightly different from the right to withdraw consent.
In comparison, modern U.S. data privacy statutes such as the CCPA, CPRA, VCDPA, and CPA do not provide a statutorily conferred right to withdraw consent. While it is possible that courts in those jurisdictions could interpret the privacy statutes as implying such a right, American courts typically follow the doctrine of casus omissus pro omisso habendus est [a matter not covered is to be treated as not covered], under which new rights, or new obligations – such as a right to withdraw consent – that are not discussed within the text of the statute will not be judicially conferred. As a result, courts may interpret the term “consent” using their plain and ordinary meaning typically found within common-usage English dictionaries; not by reference to interpretations of foreign statutes, such as the GDPR, which contain language not found within the American counterparts.
 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 (Adopted on 4 May 2020) at para. 10.