> It’s probably not against the law and the situation you have described is a valid method to establishing lawful basis under the GDPR. It’s really not all about “consent” - we hear that too much.
Various data protection authorities have concurred that forced consent isn't consent. For consent to be valid, it needs to be freely given, informed, and not tied to the provision of a service, such that provision is dependent on unrelated consent.
There's also restrictions on consent being used where there are imbalances of bargaining power (so for example, consent isn't a valid legal basis for processing data at all in an employer/employee scenario due to the imbalance. Another legal basis is needed).
One area of interest in future would be how the imbalance of power could be interpreted - consumers generally can't negotiate anything with any internet company (unlike negotiation with small businesses), and in many cases companies can hold them hostage until they consent (if Google won't let you into your email until you consent to something, that's clearly coercive and abuse of power). When regulators finally learn to move faster, it will be interesting to see how widely this can be applied - could it even extent to a company which holds a monopoly status in a market, due to lack of meaningful choice? I think it could.
In any case, the smart money is on not relying on consent as a legal basis unless you have no other option - it's the least durable basis, and can be revoked at any time.
Various data protection authorities have concurred that forced consent isn't consent. For consent to be valid, it needs to be freely given, informed, and not tied to the provision of a service, such that provision is dependent on unrelated consent.
There's also restrictions on consent being used where there are imbalances of bargaining power (so for example, consent isn't a valid legal basis for processing data at all in an employer/employee scenario due to the imbalance. Another legal basis is needed).
One area of interest in future would be how the imbalance of power could be interpreted - consumers generally can't negotiate anything with any internet company (unlike negotiation with small businesses), and in many cases companies can hold them hostage until they consent (if Google won't let you into your email until you consent to something, that's clearly coercive and abuse of power). When regulators finally learn to move faster, it will be interesting to see how widely this can be applied - could it even extent to a company which holds a monopoly status in a market, due to lack of meaningful choice? I think it could.
In any case, the smart money is on not relying on consent as a legal basis unless you have no other option - it's the least durable basis, and can be revoked at any time.