On 10 April 2018, the Article 29 Working Party adopted its Guidelines on consent under Regulation 2016/679 (the "GDPR"), which were endorsed by the European Data Protection Board (the "EDPB"). These Guidelines provide clarifications and examples for obtaining valid consent under the GDPR.
On 4 May 2020, the EDPB adopted an updated version of those Guidelines revising certain recommendations while the rest of the document was left unchanged, except for some editorial modifications. This version of the Guidelines supersedes the version adopted in April 2018.
Key takeaways to consider.
The EDPB provided additional guidance to clarify the sections of the Guidelines concerning the "Conditionality" of consent and the "Unambiguous indications of wishes" with regard to:
- the validity of consent of data subjects interacting with so-called "cookie walls" on websites;
- the process of scrolling on a Web page to consent.
In more detail.
The EDPB wishes to emphasise the fact that access to a service cannot be conditional upon the consent for processing personal data (where such processing is not necessary to provide the service concerned): "access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user". To illustrate this principle, the EDPB uses the example of "cookie walls" that prevent users from accessing a website unless they accept cookies. According to the EDPB, such cookie wall mechanisms are not compliant with the GDPR as they do not provide a genuine choice to the data subjects so that the consent cannot be considered as freely given and is thus invalid.
Furthermore, the EDPB states that "actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action". This means that cookie banners stating that any further browsing will be considered as an acceptance for the deposit of cookies are not compliant with the GDPR, as that they do not satisfy the requirement of an unambiguous indication of wishes.
The clarifications provided by the EDPB in the new Guidelines shall be read in conjunction with the ruling of the Court of Justice of the European Union in the "Planet 49" case, which concluded that a pre-checked box that users must deselect to refuse the storage of cookies on their terminal equipment is not valid consent.
Further points of attention
Originally published by Elvinger Hoss , September 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.