What happened?

On 10 April 2018, the Article 29 Working Party adopted its Guidelines on consent under Regulation 2016/679 (the "GDPR"), which were endorsed by the European Data Protection Board (the "EDPB"). These Guidelines provide clarifications and examples for obtaining valid consent under the GDPR.

What's new?

On 4 May 2020, the EDPB adopted an updated version of those Guidelines revising certain recommendations while the rest of the document was left unchanged, except for some editorial modifications. This version of the Guidelines supersedes the version adopted in April 2018.

Key takeaways to consider.

The EDPB provided additional guidance to clarify the sections of the Guidelines concerning the "Conditionality" of consent and the "Unambiguous indications of wishes" with regard to:

  • the validity of consent of data subjects interacting with so-called "cookie walls" on websites;
  • the process of scrolling on a Web page to consent.

In more detail.

The EDPB wishes to emphasise the fact that access to a service cannot be conditional upon the consent for processing personal data (where such processing is not necessary to provide the service concerned): "access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user". To illustrate this principle, the EDPB uses the example of "cookie walls" that prevent users from accessing a website unless they accept cookies. According to the EDPB, such cookie wall mechanisms are not compliant with the GDPR as they do not provide a genuine choice to the data subjects so that the consent cannot be considered as freely given and is thus invalid.

Furthermore, the EDPB states that "actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action". This means that cookie banners stating that any further browsing will be considered as an acceptance for the deposit of cookies are not compliant with the GDPR, as that they do not satisfy the requirement of an unambiguous indication of wishes.

The clarifications provided by the EDPB in the new Guidelines shall be read in conjunction with the ruling of the Court of Justice of the European Union in the "Planet 49" case, which concluded that a pre-checked box that users must deselect to refuse the storage of cookies on their terminal equipment is not valid consent.

Based on the foregoing, online business operators must ensure that any and all data subjects are provided with a genuine choice to accept or to decline the use of cookies without detriment while access to their service shall not be made conditional on the data subject's consent to the storage of cookies in the event that such cookies storage is not strictly necessary for using the service.

Further points of attention

The aforementioned should also be considered in the light of the provisions of Directive 2009/136/EC ("ePrivacy Directive") which governs the use of cookies. The ePrivacy Directive requires consent from the user, if a website uses cookies. With some exceptions, such consent relating to the processing of personal data shall comply with the requirements for valid consent under the GDPR. That is why cookie walls have been analysed from that standpoint by the GDPR.

Originally published by Elvinger Hoss , September 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.