Source: Ius Mentis
Many small businesses assume that if a customer clicks "agree" on their terms and conditions, they have covered their legal bases for using personal data. According to Dutch internet law blog Ius Mentis, written by Arnoud Engelfriet, that assumption is wrong.
According to Ius Mentis, the GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions. The reason is straightforward: GDPR requires consent to be specific. A clause buried in a set of terms almost never meets that standard.
The blog post, published on 2 April 2026, points specifically to Article 7(2) GDPR (artikel 7 lid 2 AVG). According to Ius Mentis, this article requires that any request for consent must be presented in a clearly distinguishable, intelligible and plain-language form, separate from other matters. A legal clause tucked into a page of standard conditions reportedly never clears that bar.
The practical consequence, according to the blog, is that you cannot avoid using a separate tick box. And that tick box must be specific. A general statement such as "we may use your data" is not enough. The purpose and recipient need to be clear.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkOn 19 March 2026, the CJEU ruled in Case C-526/24 (Brillen Rottler) that a data subject's first DSAR can be refused as 'excessive' under Article 12(5) GDPR if the controller can demonstrate abusive…
Ius Mentis draws a distinction between personal data and non-personal data. For non-personal data, the blog notes that a European regulation known as the Data Act, introduced in 2025, sets some limits on what service providers can do. However, the blog author notes there is no case law on those provisions yet, so the practical picture for non-personal data remains less settled.
This article focuses on personal data, where the rules are, according to Ius Mentis, clear and strict.
The blog also highlights a point that is easy to overlook. Under Dutch civil law, specifically artikel 6:233 Burgerlijk Wetboek, unreasonably burdensome terms can be set aside. According to Ius Mentis, the legal principle in Europe is not "you should have read the terms and avoided the service." It is closer to "unusual or unlawful clauses in terms are not binding." That is a meaningful protection for consumers, and a meaningful risk for businesses whose terms go too far.
For a deeper look at what GDPR requires from your business, see the GDPR compliance checklist and the guide on privacy policy requirements.
If your website collects personal data and you rely on your terms and conditions to cover consent, that approach is not legally valid under GDPR. You need a separate, specific consent mechanism, such as a clearly labelled tick box, that explains exactly what you are asking permission for. Reviewing your current setup against the GDPR requirements for small businesses is a practical next step.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a draft enforcement policy for public consultation, inviting responses by 17 May 2026.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published its 2025 annual report on 2 April 2026, outlining enforcement actions and priorities across five focus areas.