Consent in customer relationships – an overrated solution

View as Markdown
1 min read • Simon • GDPR • 3 October 2025
  1. A click is not enough for valid consent under the GDPR
  2. Consent is a commitment – not an insurance policy
  3. Contract and legitimate interests often work in customer relationships
  4. The risks of invalid consents
  5. How Morling Consulting can help

Relying on consent to process personal data may feel intuitive and correct, yet in practice it is often the wrong route in commercial relationships. The strict requirements in the GDPR make consent an uncertain and difficult basis to manage.

Under Article 6 of the GDPR, consent is one of several legal bases for processing personal data. Businesses sometimes choose consent “to be on the safe side”, particularly in customer relationships. It can feel legally prudent to “ask first” – but that reflex often leads you astray. Consent is not a shortcut. It is a complex basis with specific requirements that must be satisfied in each individual case. Under the GDPR, consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Easy to withdraw

In practice, this is more than a tick box. It requires, among other things:

  • No form of pressure or dependency.
  • A genuine choice with no risk of negative consequences if the person says no.
  • Full, understandable and accessible information about the processing.
  • Withdrawal being as simple as giving consent.

If any of these components is missing, the consent is invalid and there is no properly documented legal basis for the processing in question. In such cases, personal data are processed without valid support under the GDPR, with all the associated accountability and risk.

A click is not enough for valid consent under the GDPR

Many companies rely on standardised cookie banners, checkboxes and pre-formulated consent forms. But technical solutions cannot compensate for shortcomings in the legal wording.

Example: a company displays a notice stating “By continuing to use this site you consent to our processing of your personal data.”

This does not meet the requirement for unambiguous or informed consent. The data subject has not received sufficient information, has no real choice, and the controller cannot demonstrate that consent was actually given. The result: the consent is invalid, even if there is a click or a log.

The GDPR requires that it can be demonstrated that consent was given. It is not enough to assert that the customer “consented by clicking”. Companies must be able to show when, how and for what consent was given, and also that it can be withdrawn without negative consequences.

Consent is a commitment – not an insurance policy

Having “consent on paper” may feel safe, but it creates obligations. Those who choose consent as their legal basis must also:

  • Track the scope of the consent and ensure that the processing carried out is covered by it.
  • Handle withdrawals in practice, which can become complex over time and when processing must be halted or personal data erased after a withdrawal.
  • Update consent wording when processing changes and carry out the new processing only for individuals who have consented to the updated wording.

In many cases this becomes an administrative burden for the business. The risk is that personal data are processed in breach of the GDPR, despite the original intention to “do the right thing”.

Contract and legitimate interests often work in customer relationships

In customer relationships, processing is often better supported by:

  • Contract (Article 6(1)(b)) – for example, handling orders, delivery or customer support.
  • Legitimate interests (Article 6(1)(f)) – for example, direct marketing, fraud prevention, business development.

Both bases impose requirements, but they are practically manageable in commercial contexts. They are, for example, not associated with the customer having an absolute right to stop the processing at any time, sparing businesses the uncertainty around changing consents.

However, a balancing test is required when relying on legitimate interests and information to data subjects must be clear. In addition, there is a right to object to processing based on legitimate interests. Compared with consent, this is often a more sustainable solution where the processing itself does not require consent.

The risks of invalid consents

If a business bases its processing on consent – but the consent is invalid – there is no legal basis. The processing is unlawful. In the worst case, this can lead to:

  • Orders from the Data Protection Agency.
  • Prohibition on processing the data.
  • Administrative fines.
  • Claims for compensation from data subjects.

In light of this, using consent by default is often riskier than assessing which bases may apply and selecting the one that best meets the needs and capabilities of both data subjects and the organisation. It is therefore essential to choose the basis carefully – not out of habit, but based on what the situation actually requires.

How Morling Consulting can help

Morling Consulting’s GDPR lawyers help businesses assess when consent is appropriate and when other legal bases may be a better solution. We also assist with drafting clear documentation, conducting legitimate interests assessments and ensuring that the legal basis is correctly selected and documented.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more