On May 4, 2020, the European Data Protection Board (EDPB) adopted two important revisions to its 33-page Guidelines on Consent (Guidelines) under the General Data Protection Regulation (GDPR).1 The Guidelines are highly influential, as the EDPB (a body composed of the heads of the European Economic Area (EEA) national data protection authorities (DPAs) and the European Data Protection Supervisor) is tasked with promoting the consistent application of data protection rules throughout the EEA. The first revision states that the so-called "cookie walls", i.e., cookie banners that condition access to a website on the acceptance of cookies, are not compliant with the GDPR's consent requirement. The second revision confirms that actions such as merely scrolling or swiping through a webpage do not under any circumstances constitute valid consent under the GDPR. All organizations that utilize websites or services that use cookies may be caught by the extra-territorial scope of the GDPR, so we summarize the revisions to the consent guidance below.

Consent Cannot be Validly Obtained Via "Cookie Walls"

The requirements for valid consent, which is one of the six lawful bases for processing personal data under the GDPR, are that the consent must be freely given, specific, informed and unambiguous. The EDPB's revisions to the Guidelines state that in order for consent to be freely given, access to services and to functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user. Therefore, cookie walls cannot constitute valid consent. (Although cookies are regulated by the e-Privacy Directive, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of that Directive, which is undergoing revision through the various drafts of the e-Privacy Regulation).

The revised Guidelines provide an example to illustrate this further. A website provider implements a script such that the content of the website is blocked and not visible, and the only visible content is a request to accept cookies and information about which cookies are being set and for what purposes personal data will be processed. In that scenario, there is no means by which the data subject can access the content without selecting the 'accept cookies' button. Selecting that button would not constitute valid consent: the setup would not present the data subject with a genuine choice. Consent would not be freely given and therefore would not be validly obtained under the GDPR.

Further in relation to offering a genuine choice to the data subject, the EDPB updated a statement previously made in the earlier version of the Guidelines. In that earlier version, the EDPB considered the following argument. A data subject could have a "choice" between two competitors: (a) the use of the service provided by Controller A, which requires consenting to the processing of personal data for additional purposes; or (b) the use of an equivalent service provided by Controller B, where the use of personal data for additional purposes is not required. The argument that this dichotomy would present a genuine choice to the data subject was dismissed by the EDPB. The EDPB explained that the freedom of choice in such a scenario would be made dependent on what other market players do, and whether an individual data subject would find Controller B's services genuinely "equivalent", Relying on such an argument would also require Controller A consistently to monitor developments in the market to ensure the continued validity of consent, as its competitor may alter its service at a later stage and hence no longer provide an "equivalent" service. This would in practice mean limitations on the freedom of choice and hence lack of a genuine choice. So consent could not be "freely given" in such circumstances. Thus, the revised Guidelines clarify that, where consent is a condition to the provision of a service, relying on consent as a lawful basis just because an alternative option (where no consent is sought) is offered by a competitor or a third party fails to comply with the GDPR.

Scrolling Through Does Not Under Any Circumstances Constitute Consent

The 2018 version of the Guidelines had made clear that merely continuing with the ordinary use of a website did not of itself satisfy the conditions for obtaining valid consent under the GDPR. The updated Guidelines now provide a further example clarifying the EDPB's position in this regard.

Activities such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the consent requirement of a "clear and affirmative action". Such activities may be difficult to distinguish from other activity or interaction by a user with the webpage. As a result, determining that unambiguous consent has been obtained will not be possible.

Further, it would be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting consent, which is an additional requirement for obtaining valid consent that cannot be satisfied in this scenario.

Practical Implications of the Revised Guidelines

The Information Commissioner's Office (ICO), the U.K.'s DPA, had previously expressed a view that the blanket use of cookie walls, which would restrict access to websites, was unlikely to represent valid consent. A few other national DPAs, including the French, Dutch and Irish DPA, had also raised concerns regarding whether cookie walls provide a genuine choice to data subjects when they seek consent. The EDPB's revised Guidelines add significant weight to these concerns and effectively mean that data controllers to whom the European data protection laws apply can no longer use cookie walls in order to obtain consent.

Importantly, the revisions to the Guidelines reiterate that a data controller cannot prevent data subjects from accessing a particular service on the basis that they do not consent to the use of their personal data. Simply providing the user with the option of consenting to and accessing the service, or not consenting and being denied access, does not amount to any genuine choice and any consent obtained in such circumstances is invalid. The prudent action for data controllers following the EDPB's statement would be to revisit the lawful basis on which they are processing personal data, in order to confirm whether consent is indeed required, and if so, whether it is validly obtained.

Finally, unless cookies are strictly necessary, they cannot be placed prior to the data subjects providing their consent. As scrolling through a webpage would never be a sufficiently clear indication that can constitute consent, according to the EDPB, website providers must ensure that they seek clear, overt action from users. A good practice would be to adopt tailored cookie options for users, where they can accept or reject non-essential cookies as they see fit, and continue to access the website even where they have rejected the use of some such cookies.

Footnote

1 The original Guidelines were published two years ago, when, at its first plenary meeting on May 25, 2018, the EDPB endorsed the Guidelines, which the Article 29 Working Party had adopted on April 10, 2018.

Originally published May 21, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.