Withdrawing consent — as easy as giving it (GDPR Art. 7)

GDPR Art. 7(3) is crystal clear: the data subject has the right to withdraw consent at any time, and it must be as easy to withdraw as to give it. Yet this is the most patched-around right — businesses build dark patterns. What does this right cover? Any processing based on consent as the lawful ground (Art. 6(1)(a)): newsletter sign-up, cookies, marketing profiles, participation in research databases, sharing data with partners, storing photos in public galleries. What is NOT "as easy"? (1) Sign up in one click, unsubscribe via phone during office hours. (2) Unsubscribe link at the bottom of an email leading to a form with 7 fields. (3) "Confirm your decision" email that must be clicked within 24 hours. (4) "Hold on, we'll miss you" pop-ups requiring re-confirmation. (5) Hidden sub-settings three pages deep. What is allowed? One click (unsubscribe link) → unsubscribed immediately, with at most a short confirmation page. Cookies-specific (Dutch Telecoms Act 11.7a): the opt-out must be as prominent as the opt-in. "Accept all" as a big button + "Reject" as a small link is unlawful (Booking ruling 2023). Effect of withdrawal: further processing must stop — stored data may remain until the retention period, but no new processing. Alongside withdrawal also request erasure (Art. 17) if you want the data gone. Demand letter + AP complaint: if the unsubscribe link doesn't work or you still get mail after withdrawal → 14-day demand letter, then AP. Direct-marketing objection (Art. 21(2)) is a stronger sibling right — for commercial emails always say "I withdraw consent AND object to direct marketing".