Under GDPR consent can’t be “freely given” when it’s bundled as a condition of service unless the consent they’re asking for is necessary in order to perform the service. To use your example:
The grocery store doesn’t need to ask if you consent to paying for an apple because if you didn’t consent there wouldn’t be any transaction to perform.
Now if you paid for your apple and the cashier said okay hand over your phone so I can poke around a bit because there’s some fine print that says by nature of walking through the front doors you agree to allow the store to look through your phone. Did you consent to that? Of course not.
Consent wasn’t “freely given” because the store is requiring you disclose information (the contents of your phone) as a condition of service (you can’t even walk through the door without “consenting” let alone make a purchase) and that information isn’t necessary in order for the store to complete the transaction.
GDPR says they have to ask you first (usually in the form of a giant irritating banner as soon as you walk in the door) and that if you say no they have to let you buy your apple anyway.
> GDPR says they have to ask you first (usually in the form of a giant irritating banner as soon as you walk in the door) and that if you say no they have to let you buy your apple anyway.
Can you link to source for this (the part that says you can't deny access)?
Perhaps I’ve oversimplified a bit. GDPR has a paragraph that’s often called the “coupling prohibition” - Article 7(4):
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
It somehow says a whole lot and not much at the same time. Since every member state and everyone who has to comply needs to interpret what GDPR means there are various “recitals” that offer official guidance. One of those is Recital 42 - Burden of Proof and Requirements for Consent[1] which says:
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
So a person must be able to refuse consent “without detriment” and the company is meant to provide an equivalent, but necessarily identical, service to those who do not consent.
What that means exactly is, of course, the subject of much litigation. For example is it a “detriment” to require a subscription fee to those who do not consent to information sharing? So far one ruling (Austria) has said no, provided the fee is reasonable while another (UK) has said yes, the equivalent service must also be free.
As far as how the coupling prohibition should or will apply to a company like facebook - where harvesting user data is the entire business model - I think that is yet to be clearly determined. As are most of the nuances and technicalities in GDPR.
Edit: I should also note that consent is just one avenue to legally allow a company to process user data under GDPR. It’s not the only avenue.
This really shouldn't be left to interpretation, both Article 7(4) and Recital 42 define what is "freely given consent" and in no way limits the actions i can take as a site owner. It is clear that a "cookie wall" isn't considered a "freely given consent" so you can't process personal data based on that.
Correct you can’t process personal data based on it. And the underlying implication is that none of the consent you’ve obtained via a cookie wall is valid because you haven’t given any users the opportunity to “refuse without detriment” (because their options are to consent or see nothing). So the information you’re processing on behalf of users who clicked “I agree” - even the users who do in fact knowingly and willingly agree to the information processing - might be lacking a legal basis.
The grocery store doesn’t need to ask if you consent to paying for an apple because if you didn’t consent there wouldn’t be any transaction to perform.
Now if you paid for your apple and the cashier said okay hand over your phone so I can poke around a bit because there’s some fine print that says by nature of walking through the front doors you agree to allow the store to look through your phone. Did you consent to that? Of course not.
Consent wasn’t “freely given” because the store is requiring you disclose information (the contents of your phone) as a condition of service (you can’t even walk through the door without “consenting” let alone make a purchase) and that information isn’t necessary in order for the store to complete the transaction.
GDPR says they have to ask you first (usually in the form of a giant irritating banner as soon as you walk in the door) and that if you say no they have to let you buy your apple anyway.