On 4 May 2020, the European Data Protection Board (EDPB) adopted an updated set of guidelines on consent (Guidelines) under the General Data Protection Regulation (GDPR). These updates were made to the original guidelines published by the Article 29 Working Party on 10 April 2018, which the EDPB endorsed at its first plenary meeting on 25 May 2018.
As a reminder, when a controller relies on consent as its lawful basis for processing personal data, or is required to obtain consent prior to the use of cookies, such consent must be freely given, specific, informed and an unambiguous indication of an individual’s wishes, in order to be valid. Although the original guidelines provided an in-depth analysis of each of these concepts, the EDPB felt that two specific areas required further clarification:
- The validity of an individual’s consent to the use of cookies when access to a website’s service or functionality is conditioned on that individual giving such consent (i.e., the use of a ‘cookie wall’)
- The validity of an individual’s consent to the use of cookies when such consent is given by the individual by scrolling through a website
Consequently, the Guidelines now include updates to the sections entitled “Conditionality” and “Unambiguous indication of wishes”, which clarify these areas.
The first important update states that to be freely given, “access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”. This means that a website provider cannot make access to its website content conditional on the user accepting the website provider’s use of cookies. The EDPB considers that this does not constitute a genuine choice, and is therefore not freely given.
The second important update states that an unambiguous indication of an individual’s wishes requires a clear affirmative action, which must be distinguishable from other actions. Therefore, “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”. This means that a website provider cannot imply that a user has consented to the use of cookies simply because they have scrolled through the website, even if they have been informed of the website provider’s use of such cookies. The EDPB’s view is that the action of scrolling through a website is not clearly distinguishable from other interactions the user might have with the website, so it would be difficult to determine that unambiguous consent has been obtained in such circumstances.
As with many areas of European data protection law, the issue of what constitutes valid consent to the use of cookies has created a wide range of opinions among the European supervisory authorities, particularly in Spain where the data protection authority, the AEPD, has historically taken a more relaxed approach. The Guidelines will therefore provide some long-awaited certainty to website providers about the rules around consent and the use of cookies.