> The thing is, if "consent" is the basis on which you are processing data, then you cannot reasonably refuse service to someone who witholds consent – because that action would itself demonstrate that consent is not the lawful basis you are using. It's not a ban on discrimination, but the fact that your argument for why you need to process personal data would no longer be valid.

This seems backward to me - by allowing access to users who don't consent, you are implying that consent to track is not at all necessary to your functioning, and thus doing the tracking at all is now for invalid reasons... yea?

This is all obviously simplified, but “consent” and “necessary to functioning” are two different justifications for processing data. The GDPR does not require consent; it requires some kind of justification—a “lawful basis”— for processing, and “consent” is just one of those.

Think of it like this - if you want to process some personal data, regulations now oblige you to have a justification for doing so. That’s what GDPR calls a “lawful basis”, and there are six of them that can be used:

- Contract – "processing your data is required to offer or fulfil a contract with you"

- Consent – "we asked to process your data and you explicitly said it was okay"

- Legal obligation – "we need to process your data to comply with the law"

- Vital interest – "you were likely to die unless we processed this data"

- Public task – "we need to process your data to perform some kind of officially sanctioned public service"

- Legitimate interest – "we need to process this data for some other legitimate reason and promise that we won't do anything unexpected or unreasonable with it"

So, if you're running a website and you want to collect visitor data, you now need to justify why you are doing so, using one of these reasons. Each of these reasons outlines when they can be used, and what conditions apply to their use as a justification.

If you were running e.g. an insurance comparison site, you'd use the "contract" basis – processing a subject's data is necessary to fulfil some kind of service. A separate "consent" is not required. If you wanted to log requests to your site so you can detect intrusion attempts, you have a "legitimate interest" basis and again "consent" is not required – instead, you need to ensure you have evaluated the data you collect and demonstrated why it is required to fulfil that function.

To the specific point you raised – if your website legitimately needs to process data for reasons that are "necessary to your functioning", then you do not need consent to do so. You do need to document why this is the case, communicate it to users, provide adequate safeguards etc. but don't need to obtain an explicit consent. If you aren't able to use this approach, you still need a justification for your processing; if you want to use "explicit consent" as your reason, then that comes with the requirement that the consent is freely-given, explicitly opt-in, and is not a precondition for accessing the service.

If you decided to make "consent" a requirement to access a service, you would inherently be demonstrating that you did not meet the requirements for making that your "lawful basis" for processing.

Sorry that came out quite long, but I think it's important that anybody working with personal data understands these ideas!

I appreciate this response! I know I'm super late, but I learned a lot here, and it helped me out. :-)

Thanks!