Understanding the Updated Guidelines on Cookies and Consent Under the GDPR

On May 4, 2020, the European Data Protection Board (“EDPB”) adopted its “Guidelines 05/2020 on Consent under Regulation 2016/679”.  These guidelines provide clarity on the EDPB’S expectations for consent practices under the General Data Protection Regulation (“GDPR”). These revisions represent minor updates to the previously adopted guidelines on consent that were adopted in April 2018. One of the EDPB’s goals is to promote consistent application of data protection principles and they periodically release guidance that can assist organizations in achieving the compliance objectives of the GDPR. In the revised Guidelines, the EDPB stated that they noticed a need to clarify two items:

  1. The validity of consent provided by the data subject when interacting with so-called “cookie-walls” (i.e. the practice of forcing users to accept all cookies or not use a website at all); and

  2. Web page scrolling and the impact on valid consent.

For organizations with a web presence, it is important to understand the implications of the updated guidance and understand where practices may need to be reviewed in light of this additional information.

Conditionality and the Impact on Consent

Paragraphs 38 – 41 of latest round of revisions from the EDPB outline expectations regarding conditionality of consent and “cookie walls” that a user may encounter upon landing on a webpage. The revisions state that consent is not valid [1] if a Controller argues that a choice exists between its service that includes consenting to using data for additional, downstream purposes (e.g., email marketing), and obtaining the service from another controller that does not require consenting to additional data processing. Also, the use of the services “must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user”. The practical implications of this clarification are threefold:

  1. Cookie banners or popups that are used to capture consent must allow a user to exercise genuine choice – i.e. they should not offer a blanket “Accept All” and no other alternative. The offer to “accept” or “reject” the placing of different types of non-essential cookies is a leading practice. This is typically done through a cookie preference center accessible through the cookie banner. For example, users should be able to opt in or out of third-party marketing cookies.

  2. The services that are accessible to a user must remain accessible regardless of the choice made by the user. There may be certain limited exceptions to this, for example the user would be warned about the loss of certain website functionality (e.g., the presentation of maps relevant to the user’s location) if the user opted out of “functional” cookies that enabled such a feature.

  3. It is not recommended that an organization require that a user consent to the processing of their personal data for additional, downstream purposes in order to access their services. Such a requirement would impose an obligation on the controller to monitor whether similar services are available from other competitors, thereby invalidating the consent as a valid legal basis for processing. Also, data subjects may inappropriately be denied services due to their desire to not consent to certain downstream data processing practices. 

Many organizations have implemented cookie banners that provide notice or a link to the notice of cookie practices and then prompt you to accept or select “ok”. Others often say that by continuing to use the site, you are agreeing to the terms of the privacy policy. Organizations that employ these cookie consent practices may need to review their technologies and processes to ensure that they meet the spirit of the consent requirements under the GDPR, if applicable. Organizations in-scope for GDPR should review their cookie banner practices to confirm the following:

  • Cookie banners do not present a “cookie wall” (i.e. an “accept all or don’t use our site” approach). Instead, they should provide opportunity to opt-in to the use of non-essential cookies.

  • Privacy by design is employed to ensure that EU-based users are opted out of all inessential cookies by default, and consent captured would therefore, by design, need to be a clear and affirmative action as users are informed and proactively opt in (e.g., through a cookies preference center toggle). It is worth noting that privacy technologies exist with geolocation functionality for cookies banners. These allow organizations to set whether an end user is opted in or out of non-essential cookies by default.

  • Cookie banners do not give an option to click or “x out” and remove the banner without enforcing the capture of some kind of consent, even if only to the essential cookies on a website.

  • Consent provided through banners is reversible (I.e. users can revoke consent in the same channel and number of clicks as opting in, again typically by accessing a cookies preference center to toggle off the non-essential cookies).

Use of “Scrolling” as Evidence of Consent

Paragraph 86 also provides additional clarity on the practice of “scrolling” to indicate the consent of a webpage user. The example provided indicates that “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action…”.  The example provides further justification for why such practices would not meet the requirements for valid consent, one of which is that there would be no obvious way to withdraw that “consent”. In certain instances, organizations may provide popup windows or messages notifying the user of the data collection practices, and the user may be able to click outside of the window to return to the webpage without affirmatively exercising their choice or “consent”. In such an example, this action could not be considered valid consent under the GDPR. Organizations may therefore have to consider prominent and unavoidable messages that require action on the part of the user before granting them access to the webpage.

Next Steps

Although the recent revisions to EDPB’s Guidelines are narrow in scope, organizations should not overlook the previous consent management considerations that remain, including withdrawal mechanisms, granularity, bundling, and others. However, the latest round of revisions should prove helpful as companies continue growing their web footprint and data collection practices. The previous two years have allowed for numerous advancements with online consent, however the EDPB has shown that many compliance efforts have fallen short. Companies challenged to comply with the GDPR can take this as opportunity to review consent technologies and underlying workflows to ensure that they support all requirements, including these changes. 

Interested in learning more about our privacy and data protection services? Get in touch with us.

[1] Article 4(11) of the GDPR defines the elements of valid consent: freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Google Maps
Sound Cloud
Contact Us