A link to the European Data Protection Board (EDPB) adopted Guidelines 05/2020 (guidelines) on consent under General Data Protection Regulation 2016/679 (GDPR) is set out below.
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
The guidelines update the previous guidelines on consent and transparency, which the Article 29 Working Party adopted on 10 April 2018. The EDPB has published the guidelines in order to provide further detail on the following points in the previous guidelines:
- The validity of consent provided by the data subject when interacting with cookie walls.
- Examples of a consent mechanism in relation to scrolling and consent (see example 16).
Consent given via a ‘cookie wall’
A cookie wall is a website notification that requires users to ‘accept’ the use of cookies before they can access the website’s content. The guidelines clarify that users’ consent given via such a notification is not valid consent because the user may have been influenced to ‘accept’ in order to access the website so it is not freely given or unconditional. This means that the user was not given a genuine choice about their cookie usage. The guidelines also provide a new practical example of this at ‘example 6a’.
The consent mechanism
In section 3.4 – ‘Unambiguous indication of wishes’ – controllers are advised to design consent mechanisms that are clear to data subjects and which unambiguously show that the data subject has given consent. ‘Example 16’ has been amended in the guidelines to clarify that scrolling or swiping through a webpage (or similar user activity) is not enough to satisfy the requirement of a ‘clear and affirmative action’ that is necessary to constitute valid consent. This is because scrolling or swiping are difficult to distinguish from other actions by the user and it may be difficult for data subjects to withdraw consent as easily as it has been given.
The guidelines are consistent with current ICO cookies guidance and ECJ rulings (e.g. the Planet49 case) that cookie consent must be ‘active’ and ‘specific’. They may also have an impact on the ePrivacy Regulation negotiations.