Right to Object: When Data Subjects Can Stop You Processing Their Data

The Right That Can Shut Down Your Processing

The right to object is one of the most powerful tools available to data subjects under the GDPR. Unlike the right of access or the right to rectification, which ask you to do something with data, the right to object tells you to stop doing something. Stop processing. Stop profiling. Stop sending marketing. In some cases, you have no choice but to comply immediately and without question.

For many small and medium-sized businesses, the right to object matters most in the context of marketing. If someone objects to receiving your marketing emails, that is the end of the conversation. There is no balancing test, no legitimate interest argument, no exception. You stop. But the right to object goes further than marketing, and understanding the full scope is essential for handling these requests correctly.

This article explains what Article 21 actually requires, how the three different objection rights work, how to handle each type of request, and how equivalent rights work under the CCPA and PIPEDA.

What GDPR Article 21 Actually Contains

Article 21 is not a single right. It bundles three separate rights together, each with different rules, different thresholds, and different consequences. Getting them confused is one of the most common compliance mistakes businesses make.

1. General Objection (Article 21(1))

The first right allows individuals to object to processing that is based on two specific legal grounds:

• Public interest or official authority (Article 6(1)(e))
• Legitimate interests (Article 6(1)(f))

This includes profiling based on either of those grounds.

When someone exercises a general objection, you do not automatically have to stop processing. Instead, the GDPR requires you to conduct a balancing test. You must demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the individual, or show that the processing is necessary for the establishment, exercise, or defense of legal claims.

If you cannot demonstrate compelling grounds, you must stop processing.

The critical word here is "compelling." This is a deliberately higher bar than the standard legitimate interests assessment you conducted when you first chose your legal basis. The fact that you passed the original balancing test under Article 6(1)(f) does not mean you will pass this one. The individual is now actively telling you they object, which shifts the balance.

2. Direct Marketing Objection (Article 21(2)-(3))

This is the most powerful right available to any data subject under the GDPR. When someone objects to their personal data being processed for direct marketing purposes, you must stop. Period.

Article 21(2) states: "Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing."

Article 21(3) adds: "Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."

There is no balancing test. There is no exception for compelling legitimate grounds. There is no provision for contractual necessity or legal claims. The right is absolute. This makes it unique among GDPR data subject rights — even the right to erasure under Article 17 has exceptions.

This absolute right extends to profiling related to direct marketing. If you segment your customer database to target marketing messages, and someone objects, you must stop both the marketing messages and the profiling that supports them.

3. Research and Statistics Objection (Article 21(6))

The third right allows individuals to object to processing carried out for scientific or historical research purposes, or for statistical purposes under Article 89(1). However, this right has an exception: you can continue processing if it is necessary for the performance of a task carried out for reasons of public interest.

For most businesses, this provision is less relevant than the other two. It primarily affects research institutions, public health bodies, and organizations performing statistical analysis in the public interest.

What Counts as Direct Marketing

Because the direct marketing objection is absolute, the definition of "direct marketing" matters enormously. The GDPR does not define the term explicitly, but the ICO and European Data Protection Board (EDPB) guidance makes clear it covers a broad range of activities:

| Activity | Counts as Direct Marketing? | |---|---| | Email marketing campaigns | Yes | | Postal marketing (catalogs, letters) | Yes | | Telemarketing calls | Yes | | SMS/text marketing | Yes | | Targeted advertising on social media | Yes | | Retargeting/remarketing ads | Yes | | Profiling for marketing segmentation | Yes | | Personalized product recommendations (marketing context) | Yes | | Transactional emails (order confirmations, shipping updates) | No | | Service communications required by contract | No | | General brand awareness advertising (not targeted at individuals) | Generally no |

The key test is whether the processing involves communicating marketing material to specific identified individuals, or profiling individuals to support such communications. If the answer is yes, the absolute objection right applies.

One area that catches businesses off guard is profiling for segmentation. Even if you are not sending the marketing message directly, if you are analyzing personal data to categorize individuals for marketing purposes — creating audience segments, scoring leads, building lookalike profiles — that processing falls within scope. An objection requires you to stop the profiling, not just the final message.

How to Respond to a General Objection

When you receive an objection to processing based on legitimate interests (not direct marketing), follow this workflow:

Step 1: Acknowledge the Request

Confirm receipt promptly. You are not required to stop processing immediately while you assess the objection, but you should avoid any unnecessary processing of the individual's data while you conduct your assessment.

Step 2: Identify the Processing at Issue

Determine exactly which processing activities the individual is objecting to. If their objection is vague, ask for clarification. An objection like "stop processing my data" could apply to multiple activities with different legal bases, and only those based on Article 6(1)(e) or (f) are subject to the right to object.

Step 3: Conduct the Balancing Test

This is where the real work happens. You must assess whether you have compelling legitimate grounds that override the individual's interests, rights, and freedoms. Consider:

• The nature of your interest: Is the processing essential to your business operations, or merely convenient?
• The impact on the individual: What harm or distress does the processing cause them? Why are they objecting?
• Proportionality: Could you achieve the same purpose with less intrusive processing?
• The specific circumstances: Has the individual's situation changed? Are there factors that make the processing more harmful to them specifically?
• Legal claims: Is the processing necessary for the establishment, exercise, or defense of legal claims?

Step 4: Document Your Reasoning

Whatever you decide, document it thoroughly. If you continue processing, you need to be able to show exactly why your compelling legitimate grounds override the individual's objection. If a supervisory authority investigates, "we decided our interests were more important" is not sufficient. You need a detailed, reasoned analysis.

Step 5: Respond to the Individual

Communicate your decision within one month of receiving the request. Although Article 21 itself does not specify a response deadline, the ICO and other supervisory authorities apply the same "without undue delay" standard as other data subject rights, and practically this means within one calendar month, consistent with the Article 12(3) framework.

If you are stopping processing, confirm what you have stopped and when.

If you are continuing processing, explain:

• What compelling legitimate grounds you are relying on
• Why those grounds override their interests
• Their right to lodge a complaint with a supervisory authority
• Their right to seek a judicial remedy

How to Respond to a Direct Marketing Objection

This is simpler because there is no balancing test.

1. Receive the objection — it can come in any form (email, phone call, unsubscribe link, verbal request)
2. Stop all direct marketing processing — immediately, including profiling for marketing purposes
3. Confirm to the individual that you have stopped
4. Suppress, do not delete — add the individual to a suppression list rather than deleting their details entirely. If you delete their record, you risk re-adding them to your marketing database later from another source. A suppression list ensures you never market to them again.

The obligation to stop is immediate. "We'll remove you within 28 days" or "you'll be removed at the next list refresh" is not compliant. You must stop processing for direct marketing purposes as soon as the objection is received.

The Suppression List Approach

This is a critical practical point that many businesses get wrong. When someone objects to marketing, your instinct may be to delete all their data. But deletion creates a problem: if their details enter your system again — through a purchased list, a partner referral, or a re-registration — you will not know they previously objected. You will start marketing to them again, violating their right a second time.

The correct approach is to maintain a suppression list containing just enough information (typically name and email address) to ensure you can screen future marketing activities against it. The ICO explicitly recommends this approach.

The Obligation to Inform

Article 21(4) imposes a specific and often-overlooked obligation: the right to object must be explicitly brought to the data subject's attention at the time of first communication and must be presented clearly and separately from any other information.

This means:

• Your first marketing email to someone must clearly explain their right to object
• The information must be prominent, not buried in a privacy policy link
• It must be separate from other disclosures — not lumped into a paragraph about all their rights
• An unsubscribe link alone may not be sufficient; the right to object is broader than just email unsubscription

Many businesses rely on their privacy policy to communicate data subject rights. For the right to object, that is explicitly not enough. Article 21(4) requires proactive, separate, clear communication at the point of first contact.

CCPA: The Right to Opt Out of Sale and Sharing

The California Consumer Privacy Act provides a narrower but functionally similar right through Section 1798.120. California residents have the right to direct a business that sells or shares their personal information to stop doing so.

Key differences from the GDPR right to object:

| Aspect | GDPR Article 21 | CCPA Section 1798.120 | |---|---|---| | Scope | All processing based on legitimate interests or public interest; absolute for direct marketing | Sale or sharing of personal information | | Trigger | Objection to processing | Opt-out of sale/sharing | | Exceptions | Compelling legitimate grounds (general); none (marketing) | Service providers, certain business purposes | | Response time | Without undue delay (one month in practice) | 15 business days to confirm; must comply within that period | | Mechanism | Any form of communication | "Do Not Sell or Share My Personal Information" link required on website |

The CCPA also introduced the concept of Global Privacy Control (GPC) — a browser-level signal that businesses must honor as a valid opt-out request. If your website receives a GPC signal from a California visitor, you are required to treat it as an opt-out of sale and sharing.

Under the CPRA amendments, the right extends to "sharing" of personal information for cross-context behavioral advertising, which significantly broadened its practical impact.

PIPEDA: Consent Withdrawal

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) does not have a specific "right to object" equivalent. Instead, it operates through the consent framework. Under PIPEDA Principle 3, consent is required for the collection, use, and disclosure of personal information, and individuals can withdraw consent at any time, subject to legal or contractual restrictions.

When someone withdraws consent under PIPEDA, the organization must inform the individual of the implications of withdrawal and must stop processing for the purposes covered by that consent. This is functionally similar to the GDPR's general objection right, though the mechanism is different.

For direct marketing specifically, Canada's Anti-Spam Legislation (CASL) provides additional protections. Commercial electronic messages require either express or implied consent, and recipients can unsubscribe at any time. Organizations must process unsubscribe requests within 10 business days.

UK GDPR: Same Rules, Same Authority

The UK GDPR retains Article 21 in its entirety. The right to object works identically under UK law. The ICO has published detailed guidance confirming that:

• The direct marketing right remains absolute
• The one-month response timeframe applies
• The suppression list approach is recommended
• The obligation to inform at first communication applies

For businesses operating in both the UK and EU, there is no practical difference in how you handle objection requests.

The Relationship Between Objection and Erasure

A common question: if someone objects to processing, do you also have to delete their data?

Not automatically. The right to object (Article 21) and the right to erasure (Article 17) are separate rights. However, they are closely connected:

• If someone objects to processing and you have no other legal basis for holding the data, erasure may follow as a natural consequence. Article 17(1)(c) specifically lists a valid objection as grounds for erasure.
• If you do have another legal basis for retaining the data (for example, a legal obligation to keep financial records), you can retain it but must stop the processing that was objected to.
• If someone objects to marketing and you move them to a suppression list, you are retaining minimal data specifically to honor their objection. This is a legitimate purpose in itself.

For more on the right to erasure and how it interacts with other rights, see our erasure guide.

Practical Workflow: Handling an Objection Request

Here is a step-by-step process for any business receiving an objection:

1. Log the request — record the date, source, identity of the requestor, and what they are objecting to
2. Determine the type of objection:
   • Is it about direct marketing? Go to step 3.
   • Is it about processing based on legitimate interests or public interest? Go to step 4.
   • Is it about research or statistics? Go to step 5.
3. Marketing objection: Stop all marketing processing immediately. Add to suppression list. Confirm to the individual. Done.
4. General objection: Conduct the compelling legitimate grounds balancing test. Document your analysis. If you cannot demonstrate compelling grounds, stop processing. If you can, explain your reasoning to the individual with information about their complaint rights. Respond within one month.
5. Research/statistics objection: Determine whether the processing is necessary for a public interest task. If not, stop processing. If yes, explain why to the individual. Respond within one month.

Common Mistakes

Treating all objections as marketing objections. If someone objects to processing based on legitimate interests for a non-marketing purpose (such as fraud detection or analytics), you do have the option to continue if you can demonstrate compelling grounds. Do not automatically stop all processing without assessing whether compelling grounds exist.

Treating marketing objections as general objections. The opposite mistake: conducting a balancing test when someone objects to marketing. There is no balancing test for marketing. Stop immediately.

Deleting instead of suppressing. For marketing objections, maintain a suppression list. Deletion creates the risk of re-adding the individual later.

Failing to inform at first communication. Article 21(4) requires you to tell people about their right to object at the point of first contact, clearly and separately. A link to your privacy policy is not sufficient.

Ignoring the profiling element. When someone objects to marketing, they are also objecting to profiling for marketing purposes. Stop the segmentation and scoring, not just the emails.

Taking too long. The one-month deadline applies. For marketing objections, the expectation is that you stop immediately even if the formal confirmation takes longer.

References

• GDPR Article 21: Right to object. GDPR Article 21
• GDPR Article 6(1)(e)-(f): Legal bases subject to the right to object. GDPR Article 6
• GDPR Article 17(1)(c): Erasure following a valid objection. GDPR Article 17
• ICO: Right to object guidance. ICO guidance
• CCPA Section 1798.120: Right to opt out of sale/sharing. CCPA text