On May 4, 2020, the European Data Protection Board (‘EDPB’) adopted updated guidelines on the meaning of ‘consent’ under the EU’s General Data Protection Regulation (‘GDPR’).
The two key changes clarify that:
- Websites and other services may not use ‘cookie walls’, as these do not permit valid consent to be collected.
‘Cookie walls’ require the user to agree to the placing or reading of cookies (or similar technologies) on the user’s device in order to access a website, service or functionality.
The EDPB gives the example of a website provider putting into place a script that blocks content from being visible except for (i) a request to accept cookies; and (ii) certain information about those cookies. There is no possibility to access the content without clicking on the ‘Accept cookies’ button. The EDPB takes the view that in these circumstances the website user is not presented with a genuine choice whether to consent or not. The consent is not ‘freely given’, and therefore not valid under the GDPR.
- Actions such as scrolling or swiping through a webpage will not under any circumstances constitute valid consent under the GDPR.
This is because the GDPR requires consent to be given by ‘an unambiguous indication’ of wishes indicated by a statement or a ‘clear affirmative action’ of the user. Scrolling and swiping do not meet this requirement because they may be difficult to distinguish from other activities or interactions.
The guidance also clarifies that if consent is given by scrolling or swiping then it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it (another requirement for valid consent).
These two changes will be of particular interest to companies operating websites or apps which use cookies, as the use of cookies typically requires users to consent under EU ePrivacy rules. Companies operating such services outside of the EU may be caught by the GDPR’s extra-territorial application rules, for example because those companies are:
- offering goods or services to individuals in the EU; or
- monitoring the behavior of individuals in the EU (e.g., through the use of cookies).
The updated guidelines can be accessed here. This is already the third update: the initial guidelines were adopted by the Article 29 Working Party (the predecessor to the EDPB) on 28 November 2017 and were subsequently updated on 10 April 2018.
