Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> But what I cannot understand is forcing me (as a service provider) into a contract with a customer even if the customer rejects some of my terms.

I'm not sure what gives you that impression. If the customer rejects the terms, you are free to walk away.



GDPR requires consent to be freely given. If customer A rejects the terms and you "walk away" and deny the service, then if customer B clicks accept, you still can't interpret it as freely given consent and nothing customer B does will give you the permission to process customer B's data.

The GDPR position is that the privacy rights are not something that customers can "trade away" in a contract, they're not for sale. If the customer genuinely wishes you to do that processing, you're allowed to do so; and if they don't, then that processing shouldn't be done at all.

The way it's written it has some similarities with sexual consent - just as a valid signed contract stating "I'll allow you to violate my arse for $1000000" legally cannot be a binding contract term (even in places where prostitution is legal) doesn't really give you the unconditional permission to violate my arse and that consent can still be withdrawn at any time; in the same manner a contract stating "I'll allow you to violate my privacy for $1000000" cannot be a binding contract term in any consumer contract according to GDPR. Just as many, many other terms in EU consumer contracts (e.g. binding arbitration clauses, voiding of warranties, excessive penalty clauses, unilateral changes in terms, etc) - even if the company puts it into the agreement and the consumer signs, they are considered automatically unfair and unenforceable.


> GDPR requires consent to be freely given. If customer A rejects the terms and you "walk away" and deny the service, then if customer B clicks accept, you still can't interpret it as freely given consent and nothing customer B does will give you the permission to process customer B's data.

Are we conflating two things here?

There are agreements which you ask the customer to sign which are required to provide the service: e.g "In order to send you the goods you required, you have to give us your postal address. These must only be used for the purposes of the business - you can't sell the addresses, without consent.

Then there are consents which are for non-essentials. e.g "We would also like to send you our newsletter and for that you need to give us your e-mail address".

The agreements are things that everyone needs to sign in order for you to carry out the business with them. Consents are the optional things and should be separated out.

Or am I misunderstanding you?


You're right, that's the whole point - the commonly accepted (pre-GDPR) practice conflates these two things; and GDPR now requires them to be separated, which is a major change both in practice and in attitude.

You can have "take it or leave it" agreements, and you can have consent, but these are two separate things; it's not possible to obtain consent by putting some words in a "take it or leave it" standard agreement.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: