People can change their mind.

Anyone might accidentally or heedlessly agree to something, then have second thoughts.

The law takes account of this. For example, under the UK's Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations 2013 a consumer has the right to cancel any service they might buy online within 14 days.

You would expect similar treatment when you give consent to the use of cookies or other browser storage, and in fact your right is even stronger. The GDPR requires there is no time limit, you always have a right to revoke your consent, it must be as easy to revoke your consent as to give it, and you must be able do so at any time without detriment. Article 17 also obliges the controller of the website to erase any personal data without undue delay when consent is withdrawn, so that not only cookies or other browser storage items are promptly deleted, but also any personal data records that may have been derived from them.

Tracking still requires cookies or other browser storage, and these, whether "first-party" or "third-party", require unambiguous & freely given user consent, as they have since 2012 when PECR came into force in the UK, along with ePrivacy & equivalent laws across Europe.

This is also where most other CMPs (Consent Management Platforms) fail. If a person changes their mind and withdraws their consent the correlation records will still exist, so rendering the consent invalid.

If you need help with ensuring your websites comply with the law contact us. We not only offer unique technical & compliance consultancy but also a consent platform that works.

GDPR consent must be revocable

Check out our other blog posts