GDPR Consent Rules: Why Terms of Service Fail

Many small businesses assume that if a customer clicks "agree" on their terms and conditions, they have covered their legal bases for using personal data. According to Dutch internet law blog Ius Mentis, written by Arnoud Engelfriet, that assumption is wrong.

What the law actually requires

According to Ius Mentis, the GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions. The reason is straightforward: GDPR requires consent to be specific. A clause buried in a set of terms almost never meets that standard.

The blog post, published on 2 April 2026, points specifically to Article 7(2) GDPR (artikel 7 lid 2 AVG). According to Ius Mentis, this article requires that any request for consent must be presented in a clearly distinguishable, intelligible and plain-language form, separate from other matters. A legal clause tucked into a page of standard conditions reportedly never clears that bar.

The practical consequence, according to the blog, is that you cannot avoid using a separate tick box. And that tick box must be specific. A general statement such as "we may use your data" is not enough. The purpose and recipient need to be clear.

What about non-personal data?

Ius Mentis draws a distinction between personal data and non-personal data. For non-personal data, the blog notes that a European regulation known as the Data Act, introduced in 2025, sets some limits on what service providers can do. However, the blog author notes there is no case law on those provisions yet, so the practical picture for non-personal data remains less settled.

This article focuses on personal data, where the rules are, according to Ius Mentis, clear and strict.

Terms can be challenged

The blog also highlights a point that is easy to overlook. Under Dutch civil law, specifically artikel 6:233 Burgerlijk Wetboek, unreasonably burdensome terms can be set aside. According to Ius Mentis, the legal principle in Europe is not "you should have read the terms and avoided the service." It is closer to "unusual or unlawful clauses in terms are not binding." That is a meaningful protection for consumers, and a meaningful risk for businesses whose terms go too far.

For a deeper look at what GDPR requires from your business, see the GDPR compliance checklist and the guide on privacy policy requirements.

What does this mean for your website?

If your website collects personal data and you rely on your terms and conditions to cover consent, that approach is not legally valid under GDPR. You need a separate, specific consent mechanism, such as a clearly labelled tick box, that explains exactly what you are asking permission for. Reviewing your current setup against the GDPR requirements for small businesses is a practical next step.