Much of modern data privacy law revolves around one central concept: user consent. Frameworks such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar laws worldwide treat consent as a key legal basis for collecting and processing personal data. 

On paper, this makes perfect sense: We strive to create a situation where a user understands what data is being collected and agrees to it. If the user does not agree, the data should not be processed.

In practice, things are rarely that straightforward. In many situations, people click “agree” not because they truly want to share their data, but because refusing is not a realistic option. Access to housing, credit, employment, or essential digital services may depend on accepting the terms. What does this mean for regulators, users, and businesses? Let’s dive in to find out. 

‍

When Consent Isn’t Real

The gap between formal consent and genuine choice appears in multiple real-world scenarios.

Consider, for example, the rental market, where a built-in power imbalance exists. In some countries, prospective tenants are required to allow access to their personal data through online platforms to apply for housing. A recent Guardian article highlighted how renters are asked to upload financial records, identification documents, and other sensitive information simply to be considered for an apartment. 

Another example comes from the growing use of credit-score apps. In certain situations, landlords or lenders ask applicants to generate a credit score using a specific app and share the results. Technically, the user downloads the app voluntarily. In reality, the choice is constrained: no app, no apartment, no loan.

There are also long-standing examples in the workplace. Employees may be asked to consent to certain forms of monitoring or data processing. Regulators have long recognized that consent in employment relationships is problematic because employees depend on their employer.

Across these situations, the pattern is similar. A person technically clicks “agree,” but the surrounding circumstances leave little meaningful room to say no.

‍

How Courts and Regulators Evaluate Consent

Regulators have been increasingly explicit about this issue. Under the General Data Protection Regulation, consent must be “freely given, specific, informed and unambiguous.” This definition matters because consent that is not freely given is simply invalid.

The European Data Protection Board has repeatedly warned companies about “bundling” consent with access to services. If users must agree to unnecessary data processing to access a service, regulators may conclude that they had no real choice.

A similar debate has surrounded the business model of major digital platforms. In Europe, regulators have challenged Meta's “pay or consent” model. Users could either pay a subscription fee or agree to personalized advertising based on extensive data processing. Regulators argued that the choice was artificial because most users were effectively pushed toward consenting.

‍

Seemingly technical issues are also part of the conversation. In the 2019 Planet49 case, for instance, the Court of Justice of the European Union confirmed that valid consent requires an active and genuine choice, and practices such as pre-ticked cookie-consent checkboxes undermine that requirement.

Still, not every case is clear-cut. Situations like rental screening platforms or credit-score apps involve multiple actors. The people providing consent are not always the platform's direct customers. Instead, they may be responding to pressure from a third party such as a landlord or lender.

This makes responsibility harder to untangle. On the surface, the app provider may argue that users voluntarily choose to download the app. But if the broader business model depends on third parties effectively forcing that choice, regulators may view the situation differently. 

In such cases, multiple actors could face scrutiny. The app provider may act as the data controller operating the scoring system, while the landlord or lender who requires the specific tool may also play a role in shaping the data processing and could be considered a joint controller. If the consent collected is ultimately deemed invalid, both participants may face regulatory scrutiny.

‍

The Next Privacy Risk for Businesses

When access to essential services such as housing, credit, or major digital platforms depends on accepting data collection, the idea of “freely given” consent becomes fragile.

Just because we haven’t seen courts address these complex situations yet doesn’t mean we’re not headed in that direction. As privacy regulation evolves, the gap between formal consent and real choice is likely to receive much-earned attention. 

Future court cases will likely explore these gray areas, and platforms that rely on indirect pressure may find that regulators look beyond the simple “agree” button and examine the surrounding power dynamics. For businesses, this creates both legal and strategic risk. If a product’s core business model depends on consent that regulators later consider invalid, the consequences can be significant. 

‍

Companies should be prepared in advance: redesign their data practices, change their legal bases for processing, and abandon parts of the model entirely. They should also consider using consent management tools like the one featured in MineOS. Businesses that treat consent as a legal shortcut rather than a meaningful decision may find that the ground beneath their model shifts as privacy law continues to evolve.

‍