On May 4, 2020, the European Data Protection Board (“EDPB”) updated its guidelines on consent under the GDPR. An initial version of these guidelines was adopted by the Article 29 Working Party prior to the GDPR coming into effect, and was endorsed by the EDPB on May 25, 2018.
The revisions do not amount to an overhaul of the existing guidelines. Rather, the EDPB aims to provide clarity in two specific areas:
- Cookie walls. The EDPB explicitly states that if websites or services require users to accept the use of cookies and similar technologies as a pre-condition of access (i.e., using a so-called “cookie wall”), that does not constitute valid consent under Article 5(3) of the e-Privacy Directive. This is largely consistent with national regulators’ cookie guidance (see e.g., our blog posts on the Dutch and Austrian supervisory authorities’ guidance on this point here and here), but it appears to limit any scope to use “partial cookie walls” in some circumstances, which the UK ICO had suggested might be possible (see our post here).
- Action used to indicate consent. Scrolling or swiping through a webpage “will not under any circumstances satisfy the requirement of a clear and affirmative action” indicating consent. While the EDPB acknowledges that different user interfaces mean that different actions (e.g., swiping a bar on a screen or waving in front of a smart camera) can be used to indicate that a user gives their consent, they emphasize that:
- the action that grants consent must be distinguishable from other actions;
- it must be clear to data subjects what action constitutes consent; and
- data subjects must be able to withdraw their consent just as easily as they can give it.
While this is a strict interpretation, it provides welcome clarity after some supervisory authorities — notably the Spanish supervisory authority (see our blog post here) — had indicated that continued browsing of a site could constitute valid consent for the use of cookies in some circumstances
With little sign of agreement at European level on the revisions to the rules on cookies (in the proposed e-Privacy Regulation), the updated guidelines further demonstrate the emerging consensus amongst data protection authorities that website visitors should be given clear choices about whether or not they accept cookies, even if it can be questioned whether individuals actually read and understand the choices they are given.