In May 2018 the EU General Data Protection Regulation (GDPR) comes into effect. The GDPR is an extensive revision of EU privacy law and will have a significant impact on any company handling personal data.

This blog post is part of a series where we illustrate and discuss the most important concepts in the GDPR, and the implications for people and industry.

A consent is simply a permission to something a person understands the implications of. In a legal sense, a person's consent to process his or her personal data is an act to permit processing that might otherwise be prohibited.

GDPR (Articles 6.1 (a), 9.2 (a), 49.1 (a)) says that consent is a valid legal basis for processing personal data when the consent is freely given ((GDPR Article 4(11)). In other words, tricks to have people “accept” things that does not reflect their wishes is not a valid consent under the GDPR.

Let’s explore a scenario where companies ask for a person's consent to process his or her personal data. We’ll do so through the fictitious character Anna.

Meet Anna


Anna is a 25 year old woman. She works as a pharmacist in Amsterdam. Anna is passionate about healthy living, trains fitness, shops health & beauty products online, and shops her nutrition offline. Anna suffers from strong dust and pollen allergy. She is also the lead singer in a folk-rock band.

Anna reads about food, lifestyle, health & fitness and new job positions at the newspaper websites AlDente, BeCool, Go Fresh and Career Booster. Unknown to Anna, all these sites are owned by the media group News Ahead. She’s also reading some local music blogs about what’s happening in Amsterdam.

She does so using Internet Explorer on her work PC (it's what IT installed), Safari on her iPad, and Chrome on her Android phone.

Most of the websites Anna uses has a lot of ads. She ignores most of them, but sometimes an ad catches her interest. For example, she has been considering taking courses to advance her career in pharmacy, and the other day an ad for a relevant course had her interested. Come to think of it, she recently also purchased a new fitness watch after clicking on an ad for it (it was a limited time discount offer).

The other day Anna got an uncomfortable feeling of deja vu. She had ordered her fitness watch, and suddenly the ad for the watch was shown on BeCool when she was reading about something completely different. And later that day, at home, when researching pharmacy courses on Career Booster she got the same ad!

Are somebody tracking her across these websites? How can they otherwise figure out to show her very specific ads for the watch she had been interested in - even in the right color!

Anna decides to do some investigation on her own. She discovers that advertising companies collect data across a lot of web sites, and uses the data to build a profile of her. The profile is used to target ads specifically for her. On one hand that feels a bit spooky, but on the other hand she also get more relevant ads. Anna tries to find out whether she can turn the interest based advertising off. Maybe not entirely, but at least for the watch she has already ordered.

Anna feels angry. Nobody asked her for permission to track her online. Not the BeCool, not Go Fresh and certainly not the advertising companies. Anna remembers that it’s a while since she talked to her childhood friend Mary, a consumer rights lawyer. Time to catch up.

How to contact us

If you want to chat about this topic or personal data, privacy and GDPR at large feel free to send an email to hello@signatu.com. You can also follow @signatucom on Twitter.