On 10 April 2018 the Article 29 Working Party (EDPB former name) adopted its Guidelines on consent under Regulation 2016/679. On 4 May 2020 the EDPB has provided an updated version of the concerned guidelines.
The update concerns two common practices on the Internet on which the EDPB would like to provide clarification:
The validity of consent provided by the data subject when interacting with so-called “cookiewalls”;
The validity of consent provided by the data subject by merely scrolling or swiping through a webpage (or similar activities).
A. The validity of consent provided by the data subject when interacting with so-called “cookiewalls”
A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button.
Issue: under the GDPR, the consent must be “freely” given. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Consequence: “Cookiewalls” - as described above - do not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.
Good practice: a distinction should be made between so-called " necessary cookies " for the functioning of a website and other cookies (marketing cookies, performance cookies, etc.). With regard to the necessary cookies, the consent of the user is not required, as the basis of legitimisation is founded on the need to be able to operate your website, these are the cookies without which it is impossible to access the content of the website. For all other types of cookies, it is necessary to obtain the user's informed consent and also to enable the user to change his consent easily in the future.
B. The validity of consent provided by the data subject by merely scrolling or swiping through a webpage (or similar activities).
This is the case here, where one would deduce a data subject's consent by the mere fact that he or she has scrolled a page all the way to the bottom. For instance, let's imagine a vendor who would consider that you consent to be contacted for direct marketing purposes by the sole fact that you have scrolled down the page of the terms and conditions of sale.
Issue: although you have browsed or scrolled through the entire document, this does not mean that you have given your consent to the use of your data for direct marketing purposes. Especially since, with regard to the GDPR, consent requires a clear and affirmative action.
Consequence: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that Is as easy as granting it.
Good practice: if you want to process the personal data of your users for purposes that do not match the original purpose for which the data were originally collected, you must obtain the prior and active consent of the data subject for this specific purpose. This is possible with tick-boxes for example.
EDPB’s updated guidelines on consent have to be seen in the light of the recent opinions issued by national supervisory authorities, as well as ECJ’s judgement in case C-673/17, Planet 49 v. German Federation of Consumer Organisations.
The French data protection authority has already made direct marketing and cookies an enforcement priority. Similar guidelines have already been issued by the German, Spanish and English supervisory authorities. Recently, the Belgian supervisory authority also issued guidelines on February 10, 2020 and made direct marketing a top priority for the next few years, still waiting for the “ePrivacy Regulation” at EU level.
In a nutshell, under the GDPR, the criteria for valid consent have been reinforced and its to be noticed that businesses follow the trend, implementing more developed cookie management tools as well as more consistent privacy policies on their websites.
You suspect that your website is not in compliance with all the relevant requirements or you simply want an expert to assess your current level of compliance: do not hesitate any longer, contact firstname.lastname@example.org