[Sander_Marechal]

> The GDPR says, for example, that refusal should be just as easy as acceptance.

Not true, actually! GDPR is a framework, and every EU country implements a national law according to that framework (e.g. the Dutch implementation is called "AVG"). The specific requirement that refusal must be as easy as acceptance is not in the GDPR, but several countries added it to their national implementation of the GDPR.

[frankvdwaal]

This is a misconception that I've seen going around, and I still wonder where it came from.

The Dutch implementation is called "Uitvoeringswet Algemene Verordening Gegevensbescherming", which, as the title states, is the law that implements the GDPR. "AVG" is just a translation for "GDPR", not the name of the law that implements it.

The Uitvoeringswet describes how the GDPR functions within Dutch law, for example, it describes the role that the Dutch Data Protection Authority plays. You can read the Uitvoeringswet right here: https://wetten.overheid.nl/BWBR0040940/2021-07-01

The GDPR (in Dutch AVG, in French RGPD, in Spanish RGPD, etc.) actually DOES state that it should be just "as easy to withdraw as to give consent" in Article 7. The directive (2016/679) can be found here: https://eur-lex.europa.eu/eli/reg/2016/679.

[underdeserver]

Eh.

> "as easy to with as to give consent"

The full Article 7, section 3, in English, says:

> The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

I think this can be interpreted as, you ask for consent, it doesn't have to be as easy to say no, but once consent is given - it should be as easy to withdraw it as it is to re-give it after it was withdrawn.

Somewhat badly worded, in my opinion. It doesn't unambiguously say "refusing consent every time it is requested should be as easy as accepting it."

[breisa]

That is a common misconception. In EU law, there are regulations and directives. Regulations are immediately active in all EU countries. In contrast, directives need to be translated into national law by each individual country. The GDPR is a regulation. (for details: https://european-union.europa.eu/institutions-law-budget/law... )