Is the consent of a person confronted with a so-called “cookie wall” valid at all? And can consent be expressed by scrolling or swiping through a website? The European Data Protection Board (EDPB) published its opinion on this often-seen practise of website owners.
The EDPB published new guidelines on consent under the General Data Protection Regulation (GDPR) on 4 May 2020. These guidelines update and replace the previous guidelines published in 2018, which were adopted by the Article 29 Working Group Party and endorsed by the EDPB. The guidelines now provide an updated version on consent rules and apply from now on.
The updated guidelines on consent provide clarifications on the validity of obtaining consent. The EDPB has noticed that there was a need for clarification regarding two questions:
- Is it possible for an individual to validly consent when confronted with a so-called “cookie wall”?
- Can valid consent be expressed simply by scrolling or swiping through a website?
First and foremost, according to the GDPR, businesses or organisations that wish to process personal data for various purposes, such as advertising or profiling, require a legal basis for processing. Under the GDPR, cookies that are not strictly necessary for the basic function of a website must only be activated after the end-users have given their explicit consent to the specific purpose of the operation and collection of personal data (see our article on the respective ECJ ruling). Thus, only if valid consent is given, you may place cookies on your website.
For consent to be valid under the GDPR, it must satisfy the definition of consent envisaged in Article 4 (11), in connection with the requirements set out in Article 7. The GDPR defined consent as “freely given, specific, informed and unambiguous indication of the data subject’s wishes […] by a statement or by a clear and affirmative action”.
“Freely given“ consent means that the data subject has a free and actual choice and can refuse or withdraw consent without being disadvantaged. For instance, consent isn’t freely given if you require individuals to consent to the processing of personal data as a condition to provide your service unless the processing is strictly necessary to be able to provide that service.
Consent can be considered “informed” if you give the data subject at least information about the identity of your business or organisation, the purposes for which the data is processed, the type of data, and the possibility to withdraw consent. Where applicable, you must inform data subjects if data will be used only for automated-based decision-making (such as profiling) and if the consent relates to an international transfer.
Cookie walls and conditionality of consent
According to the updated guidelines, a cookie wall is a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. A cookie wall will not allow data subjects to access the content of the service, thus use the service, without accepting the cookies.
Under the updated guidelines, providing consent for the processing of personal data or the use of tracking technologies, such as cookies, cannot be considered freely given if offered as a condition to use or access a website or service, “as the data subject is not presented with a genuine choice”. Accordingly, the placing of a cookie wall will not be sufficient to obtain valid consent for data processing. If your businesses or organisation is using this mechanism, you must update the consent boxes.
Unambiguous indication of wishes
The new EDPB guidelines further provide clarification concerning the question if scrolling or swiping through a website can qualify as an “unambiguous indication of a data subject’s wishes (…) by a clear affirmative action”.
Therefore, the guidelines state: “the continued scrolling or swiping through a webpage cannot (…) satisfy the requirement of clear affirmative action”. It proceeds: “Such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will not be possible”. Art. 7 GDPR clearly states that for data subjects, it must be as easy to withdraw consent as it is to give consent. Thus, in a case of continued scrolling or swiping through a webpage, “it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it”.
The EDPB stresses that consent by scrolling or swiping a webpage will never constitute valid consent. Also, based on the impossibility for controllers to ascertain whether the consent was unambiguous, controllers will not be able to provide data subjects with an equally easy way of withdrawing consent. Thus, explicit, affirmative action is needed, which you, as a controller, can obtain by giving a clear choice between yes and no.
The updated EDPB guidelines strongly emphasise the need for valid consent and the data subject’s free choice to consent to the processing of personal data, as well as the rights to withdraw this consent.
Therefore, as a website operator, you should ensure that the website does not ask users to provide consent either by placing a cookie wall or consider the continued scrolling or swiping through a webpage as valid consent. Instead, you should follow the following practical recommendations to ensure you obtain valid consent from data subjects, per the updated guidelines:
- You must understand what cookies are in use, confirm their purpose, identify what data each cookie processes, how long cookies store data, if they are strictly necessary cookies and whether they are 1st or 3rd party cookies.
- Once you have established the use and purpose for each cookie, you need to ensure you provide clear and easy to understand information about the cookies. Accordingly, the information must be comprehensive to the data subjects and cover details of the purpose of the cookies used.
- To use the cookies, you need to implement a consent mechanism that allows users of the website to control the setting of all cookies that are not strictly necessary. Obtaining consent must be in line with GDPR’s requirements. As the updated guidelines reaffirm, consent must be freely given, and individuals must have a real choice to consent or reject the processing of personal data. Accordingly, the opportunity to withdraw consent without detriment must be implemented. Therefore, it is not sufficient to place pre-ticked consent buttons as default settings on cookie banners. Accordingly, only a “yes” option is insufficient, and you must ensure both a “yes” and a “no” option is presented and equally visible to the user.