On 4 May 2020 the European Data Protection Board (“EDPB“) adopted updated guidelines on consent under the GDPR (the “New Guidelines”).
The New Guidelines supersede the guidelines on consent originally adopted by the EDPB’s predecessor, the Article 29 Working Party, on 10 April 2018 (the “2018 Guidelines”), and subsequently endorsed by the EDPB.
The New Guidelines clarify the EDPB’s position on two specific issues:
- Cookie Walls – consent is not valid if access to a website is conditional on accepting non-essential cookies.
- Scrolling – user actions like scrolling and swiping on a webpage do not satisfy the requirements for valid consent.
Besides these two clarifications, there are no other substantive changes from the position set out in the 2018 Guidelines.
The New Guidelines clarify the position in relation to the validity of consent provided by the data subject when interacting with so-called “cookie walls”. This is where a website user is effectively barred from viewing or accessing website content unless they agree to accept cookies (for example, where the user is asked to click an “Accept cookies” button before they can access content).
It is now well established that the GDPR standard of consent also applies to consent under the e-Privacy Directive, including in relation to the use of non-essential cookies. This means that consent to the use of these cookies must be freely given, specific, informed, unambiguous, and signified by a statement or clear positive action (and a pre-ticked box or equivalent, such as a slider defaulted to “on”, will not be sufficient).
This position was confirmed by the EDPB in the original 2018 Guidelines and has since been echoed in recent guidance from the ICO, the German data protection authorities and a number of other European data protection authorities (you can read our summary of the ICO’s guidance here). The New Guidelines confirm that, to meet the requirement for consent to be freely given, access to services and functionalities should not be conditional on the consent of a user to the storing of information, or gaining access to information already stored, on their device. As such, the EDPB considers that “cookie walls” do not present the user with a genuine choice, meaning that consent obtained this way is not freely given and is therefore not valid.
The statements made by the EDPB in relation to cookie walls are not especially surprising, and are broadly in line with recent statements and guidance on cookies from national European regulators and with the decision of the Court of Justice of the European Union in Planet49 (for a summary of the Planet49 case, click here). However, the New Guidelines provide further clarity on the EDPB’s position on the issue.
In practice, the New Guidelines mean that website operators should avoid using cookie walls and should not prevent access to content, services or functionalities where a user does not accept the use of non-essential cookies. The New Guidelines therefore serve as a further reminder to website operators to review current cookie consent mechanisms to ensure they remain aligned with GDPR standards and with regulatory guidance.
As stated above, under the GDPR, valid consent requires a clear and affirmative action which establishes an unambiguous indication of the data subject’s consent. It must also be as easy to withdraw as to give consent.
The New Guidelines clarify the position in relation to websites that attempt to obtain consent from users by scrolling or swiping through the webpage. The 2018 Guidelines stated that this would not satisfy the requirements for valid consent.
The New Guidelines do not change this position, but provide slightly revised guidance on the reasoning. They state that:
- scrolling, swiping, and other similar actions will not under any circumstances satisfy the requirement for clear and affirmative action;
- such actions may be difficult to distinguish from other actions by the user, so they are too ambiguous; and
- it would be difficult to provide a way for the user to withdraw their consent as easily as it is given in such cases.
Scrolling and swiping are specifically highlighted as actions that cannot satisfy the requirements for valid consent. This could also include other similar actions , for example, a user pressing play on a video. Even if a website clearly informs the user of the consequences before starting the video, it is unlikely that this action alone would to satisfy the requirements for valid consent.
Website operators should therefore ensure that their websites do not ask users to provide their consent in these ways.
As mentioned above, the majority of the 2018 Guidelines remain unchanged. In particular, it is important to note the following in relation to designing consent mechanisms, which was stated in the 2018 Guidelines and continues to be the case under the New Guidelines.
1. Avoiding click fatigue
In the digital environment users often receive many consent requests, which results in a sort of “click fatigue”. This can result in a situation where users no longer read consent questions, and may not really be aware that they are providing consent. Therefore, this may not qualify as valid consent under the GDPR. The burden to find a viable and effective solution is on controllers, which have an obligation to “innovate to find new solutions”. Website operators should keep this in mind when designing and assessing their mechanisms to collect consent.
2. Presenting a yes and no option
In several examples, the guidelines refer to the user providing consent using a ‘No’ or ‘Yes’ option. This implies that users should clearly be given the possibility to provide or deny consent, – only presenting a ‘Yes’ option would not be enough. Obviously, it must be as easy to give consent as to deny consent.
3. Refreshing consent
Consent does not have a fixed expiry date – its validity depends on the features of the processing, the scope of the consent and also the reasonable expectations of the person who has provided consent. However, it is best practice to refresh consent from time to time, to ensure individuals remain well aware of the processing of their personal data. Website operators should be thinking about refreshing consent, including consent for cookies, from time to time.