On May 4, 2020, the European Data Protection Board (“EDPB”) updated its guidelines on consent under the GDPR.  An initial version of these guidelines was adopted by the Article 29 Working Party prior to the GDPR coming into effect, and was endorsed by the EDPB on May 25, 2018.

The revisions do not amount to an overhaul of the existing guidelines.  Rather, the EDPB aims to provide clarity in two specific areas:

  • Cookie walls. The EDPB explicitly states that if websites or services require users to accept the use of cookies and similar technologies as a pre-condition of access (i.e., using a so-called “cookie wall”), that does not constitute valid consent under Article 5(3) of the e-Privacy Directive.  This is largely consistent with national regulators’ cookie guidance (see e.g., our blog posts on the Dutch and Austrian supervisory authorities’ guidance on this point here and here), but it appears to limit any scope to use “partial cookie walls” in some circumstances, which the UK ICO had suggested might be possible (see our post here).
  • Action used to indicate consent. Scrolling or swiping through a webpage “will not under any circumstances satisfy the requirement of a clear and affirmative action” indicating consent.  While the EDPB acknowledges that different user interfaces mean that different actions (e.g., swiping a bar on a screen or waving in front of a smart camera) can be used to indicate that a user gives their consent, they emphasize that:
    • the action that grants consent must be distinguishable from other actions;
    • it must be clear to data subjects what action constitutes consent; and
    • data subjects must be able to withdraw their consent just as easily as they can give it.

While this is a strict interpretation, it provides welcome clarity after some supervisory authorities — notably the Spanish supervisory authority (see our blog post here) — had indicated that continued browsing of a site could constitute valid consent for the use of cookies in some circumstances

With little sign of agreement at European level on the revisions to the rules on cookies (in the proposed e-Privacy Regulation), the updated guidelines further demonstrate the emerging consensus amongst data protection authorities that website visitors should be given clear choices about whether or not they accept cookies, even if it can be questioned whether individuals actually read and understand the choices they are given.

Print:
EmailTweetLikeLinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.