What does GDPR Article 7(3) actually require?

It states that the data subject has the right to withdraw consent at any time, and that it shall be as easy to withdraw as to give consent. In practice, regulators read this as requiring symmetric effort: if one click grants consent, withdrawal should not require digging through nested menus.

Is a symmetry score a legal determination?

No. This tool produces a self-assessment finding based on your answers to help you spot obvious asymmetries (a dark pattern risk). It is not legal advice and does not replace a Data Protection Officer review or a supervisory authority's assessment.

Does the data I enter leave my browser?

No. Every answer is processed locally in your browser with JavaScript. Nothing is uploaded, logged, or sent to a server, so you can audit internal flows without exposing them.

What counts as withdrawal being harder than granting?

Common red flags are: granting is one click but withdrawal needs account login, withdrawal is hidden in a settings sub-page, withdrawal requires emailing support, or the granting banner has a prominent Accept but no equally prominent Reject or Withdraw control.

Why does time-to-take-effect matter?

GDPR requires withdrawal to be effective, not just available. If consent is granted instantly but withdrawal takes days to propagate, processing continues without a lawful basis in the interim, which weakens compliance even if a control technically exists.

Consent Withdrawal Flow Checker

A core promise of the GDPR is that consent is freely given and revocable. Article 7(3) is explicit: a person can withdraw consent at any time, and withdrawing must be as easy as giving it. Many sites quietly violate this with a one-click “Accept all” banner but a withdrawal path buried three menus deep — a classic dark pattern. This checker walks you through a structured self-assessment of both flows and returns a symmetry score plus a written finding.

How it works

The tool compares your two flows across four dimensions and looks for asymmetry — places where withdrawal costs the user more effort than granting did:

Steps / clicks: how many discrete actions each path takes. A grant of 1 click vs a withdrawal of 5 is a strong red flag.
Interface location: whether withdrawal lives in the same surface as the consent prompt, or is relocated to a hidden settings page, an email request, or behind a login.
Prominence: whether the original prompt offered an equally prominent reject/withdraw control, or only a prominent accept.
Time to take effect: whether withdrawal is honoured immediately or lags behind, which weakens its effectiveness under Article 7(3).

Each dimension contributes to a 0–100 symmetry score. Larger gaps between the grant and withdrawal answers lower the score. The tool then renders a plain-language finding so you know exactly which dimension to fix first.

Tips and notes

“As easy as” is interpreted by regulators as roughly symmetric effort, not identical pixels. A withdrawal that takes one extra confirmation click is usually fine; one that requires contacting support usually is not.
The strongest fix is a persistent, always-reachable preference control (e.g. a footer “Cookie settings” link or an in-account toggle) that mirrors the original banner.
Remember that withdrawal must be effective: do not keep processing on the old consent after a user opts out. Treat the score as a prompt to verify your backend honours the change promptly.
This is a self-assessment aid, not legal advice. For high-risk processing, have your DPO confirm the finding.