On May 4, 2020, the European Data Protection Board (EDPB) adopted updated guidelines on consent under the General Data Protection Regulation (GDPR), in Guidelines 05/2020. The Guidelines clarify existing guidance issued in 2018 about whether consent would be freely given when consent is required to access a service (including websites) and whether scrolling through a website could be a clear and affirmative act demonstrating unambiguous consent. Guidelines 05/2020 follow a series of opinions and guidance issued by the European Court of Justice and European data protection authorities over the last year on the subject of cookies, consent and other bases for processing personal data under the GDPR. Therefore, companies that rely on consent—including those that relied on the GDPR’s necessary-for-contract basis for online services before the EDPB issued guidelines about that basis in October 2019—when offering a website to EU users or applying cookie consents worldwide should reassess their consent practices and mechanisms. To read Guidelines 05/2020, click here.
Why it matters
Under the GDPR, companies should have at least one of the six bases listed in Article 6 to process personal data. One of those is consent, which GDPR Recital 32 explains is “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication.” As for the ePrivacy Directive, a company or other website operator may only rely on consent before storing information, like cookies, on a user’s computer, smartphone or any other “terminal equipment.”
With regards to the requirement for consent to store information like cookies on users’ computers, last year, member state data protection authorities (such as France’s CNIL and the Netherlands’ Autoriteit Persoonsgegevens) and the European Court of Justice issued opinions and guidelines addressing consent requirements for cookies under the GDPR and the ePrivacy Directive. As read by the EDPB and other European regulators, the ePrivacy Directive requires website operators to receive a website visitor’s consent before storing non-necessary cookies on that visitor’s computer (although what constitutes a non-necessary cookie is subject to interpretation and context). That reading has led in part to website operators’ use of cookie walls (which prevent access to a website unless a user accepts all cookies) and cookie banners (which appear on the side or bottom of websites). Guidelines 05/2020 provide additional clarity to companies about how they should present consent for cookies to visitors from the EU, including around cookie walls and cookie banners.
Is consent freely given if it is required for access to a service? Maybe not?
Guidelines 05/2020 add details, not included in the previous guidance, regarding the “freely given” aspect of consent in Recital 32 (quoted above) on just how much a company can condition consent:
- To the EDPB, consent is not freely given if a company offers a choice between their service (such as a website), which includes requiring consent to the secondary use of personal data, and an equivalent service offered by a different controller. Put differently, a company may not be able to prevent data subjects from accessing their service on the basis that they do not consent to the secondary processing of their personal data.
- Consistent with the European Court of Justice’s decision last year, consent is not freely given under Guidelines 05/2020 if a website operator conditions access to a service or functionality upon a user’s consent to the storing of personal data on their computer or other terminal equipment (such as mobile phone or smart TV).
- To make that clear, Guidelines 05/2020 include the example of a cookie wall that restricts access to a website’s content unless the user consents to non-necessary cookies: “This does not constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. [The user] is not presented with a genuine choice.”
What constitutes clear and affirmative action? Not scrolling or swiping on a webpage.
Guidelines 05/2020 also clarify a small detail regarding what it means to have an “unambiguous indication” of consent under Recital 32. The key takeaway is a new example and statement that “scrolling or swiping through a webpage or similar activity will not under any circumstances satisfy the requirement of a clear and affirmative action.” In particular:
- To the EDPB, if scrolling or swiping creates consent, then “it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.”
- Similarly, it “may be difficult to distinguish” the scrolling or swiping from activity not intended to provide consent.
Accordingly, Guidelines 05/2020 raise questions about the use of disappearing cookie banners that are not accompanied by more intentional swiping and scrolling, such as those noted in the Guidelines: “[s]wiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request.”