GDPR-008 critical Consent Management

Consent withdrawal mechanism

Withdrawal must be as easy as giving consent. Provide persistent access to consent settings (footer link, settings page). Verify withdrawal stops tracking.

Question to ask

"Withdrawing consent — easier or harder than giving it?"

Verification guide

Severity: Critical

GDPR requires that withdrawing consent is as easy as giving it. Users need a persistent way to change their preferences.

Check automatically:

# Look for consent withdrawal/revoke functionality
grep -riE "withdraw.*consent|revoke.*consent|remove.*consent|opt.*out|unsubscribe" src/ app/ --include="*.ts" --include="*.js" --include="*.py"

# Check for preference center or settings
grep -riE "preference.*center|privacy.*setting|cookie.*setting|manage.*consent|consent.*preference" src/ app/ --include="*.ts" --include="*.js" --include="*.html"

# Look for consent update endpoints
grep -riE "update.*consent|consent.*update|change.*consent" src/ app/ routes/ controllers/ --include="*.ts" --include="*.js"

# Check for re-accessible consent banner
grep -riE "reopen.*banner|show.*consent|manage.*cookie|cookie.*icon|privacy.*icon" src/ app/ --include="*.ts" --include="*.js"

Ask user:

  • "How do users withdraw consent?" (settings page, re-open banner, email request?)
  • "Is it as easy as giving consent?" (GDPR requirement)
  • "Does withdrawal actually stop tracking?" (verified?)
  • "Is there a persistent way to access consent settings?" (footer link, settings page)

Withdrawal accessibility:

Method GDPR Compliant?
Settings page with toggle Yes
Footer link to re-open banner Yes
"Email us to opt out" No - too difficult
Clear cookies manually No - not a real mechanism
Floating privacy icon Yes

Pass criteria:

  • Users can withdraw consent without contacting support
  • Withdrawal is as easy as initial consent (one-click or similar)
  • Persistent access to consent settings (not just on first visit)
  • Withdrawal actually stops tracking (verified)

Fail criteria:

  • No withdrawal mechanism
  • Must email support to withdraw
  • Can only withdraw by clearing cookies
  • Consent banner only shows once, no way to change later
  • Withdrawal UI exists but doesn't actually stop tracking

Evidence to capture:

  • Withdrawal mechanism (settings page, banner re-open, etc.)
  • How users access it (footer link, account settings, floating icon)
  • Verification that withdrawal stops tracking

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-007

Consent stored and auditable

 Next →

GDPR-009

Privacy policy current and complete