On May 4, 2020, the European Data Protection Board (“EDPB”) updated its guidelines on consent under the GDPR. An initial version of these guidelines was adopted by the Article 29 Working Party prior to the GDPR coming into effect, and was endorsed by the EDPB on May 25, 2018.
The revisions do not amount to an overhaul of the existing guidelines. Rather, the EDPB aims to provide clarity in two specific areas:
- Action used to indicate consent. Scrolling or swiping through a webpage “will not under any circumstances satisfy the requirement of a clear and affirmative action” indicating consent. While the EDPB acknowledges that different user interfaces mean that different actions (e.g., swiping a bar on a screen or waving in front of a smart camera) can be used to indicate that a user gives their consent, they emphasize that:
- the action that grants consent must be distinguishable from other actions;
- it must be clear to data subjects what action constitutes consent; and
- data subjects must be able to withdraw their consent just as easily as they can give it.
With little sign of agreement at European level on the revisions to the rules on cookies (in the proposed e-Privacy Regulation), the updated guidelines further demonstrate the emerging consensus amongst data protection authorities that website visitors should be given clear choices about whether or not they accept cookies, even if it can be questioned whether individuals actually read and understand the choices they are given.