“Poor old Google!” It’s not a phrase that you hear very often, but it is clear at the moment that Google, like Facebook, is paying the price for its market dominance in the personal data (and specifically in the targeted ads) economy.

Its position has put it in the firing line of a new movement of privacy activists, determined to establish the limits of the GDPR legislation. The recent reports of a significant fine being imposed by the French data authority, the CNIL, have now been followed by confirmation that the ICO has Google in its sights as well.

But, if the point of making an example of Google is to teach everyone else a lesson, it’s important to be clear what that lesson is (and isn’t). Talk of “forced consent” in this context runs the risk of being misleading.

Processing of personal data under GDPR is permitted where there is a lawful basis for the processing. That lawful basis might be consent, in which case it has to be obtained willingly, without conditions, and from a well informed data subject. This makes it ideal for simple interactions, like marketing communications. A customer visits a website, gives their email address and agrees to receive emails. If they change their mind they can withdraw consent (unsubscribe) at any time.

Consent is far from ideal, though, as a basis for more complex interactions. The same customer visits the website and orders a product. They give their payment information, home address for delivery and contact information. If they change their mind about the order they might be able to cancel, but if the order proceeds their personal data has to be processed, in order to fulfil it. Revoking consent to process that data would leave the company in an impossible position - in breach of contract for failing to deliver or in breach of data protection law.

This is why other lawful bases for processing exist. Crucially, though, even if you are processing on a different basis than consent, you still need to draw your privacy notice to the data subject’s attention, and best practice is to get them to confirm that they have seen it and understand that it applies to data they provide.

If they won’t do that, then it is quite right that the business says it cannot engage with them. They want an interaction which is fundamentally impossible without the data processing envisaged. Almost inevitably, though, such a situation implies that consent will not be the right basis for processing.

Whether Google has successfully navigated that legislative tightrope remains to be seen, but for businesses looking for guidance about how to arrange their own interactions, they can take some comfort from the fact that with careful thought about the appropriate basis for processing, and with openness and clarity in your privacy notices, there is no need to fall into the same traps.