EDPB Issues Updated Guidelines on Consent
7 May 2020
Technology & Regulation in the Spotlight
The European Data Protection Board (“EDPB”) has published new guidelines on consent under the General Data Protection Regulation (“GDPR”). These guidelines are updating and replacing the previous guidelines published in 2018 by the former EU data protection advisory regulator, the Article 29 Working Party, which were endorsed by the EDPB.
The updated guidelines provide clarifications on the validity of two specific methods of obtaining consent. The first is obtaining consent using “cookie walls” and the second is whether actions like scrolling or swiping can be considered valid consent under the GDPR, as well as the ePrivacy Directive which requires consent to be valid under the GDPR (see our related report concerning the ECJ’s ruling on this subject).
The GDPR defines consent as “freely given, specific, informed and unambiguous indication of the subject’s wishes… by a statement or by a clear affirmative action…”. According to the updated guidelines, providing consent for the processing of personal information or the use of tracking technologies (such as cookies), cannot be considered as freely given if provided as a condition to use or access a website or a service – a practice also known as “cookie wall”. The EDPB dismisses arguments suggesting that consent can be considered freely given if an equivalent service is offered by a different controller that does not require consent. In such cases, the freedom of choice would be made dependent on what other market players do and whether the data subject would find the other services equivalent. In addition, this will require controllers to monitor market developments and their competitors, as they may alter their services or business models at any time. Accordingly, in order for consent to be freely given, the access to services and functionalities must not be made conditional on the data subject’s consent to the storing of or gaining access to information.
The EDPB also addresses the question of implying consent from certain user activities. According to the EDPB, actions such as scrolling, swiping through a webpage, or similar user activities will not, under any circumstances, be considered valid consent. Such actions may be difficult to distinguish from other activities or interactions and therefore do not satisfy the requirement of a clear and affirmative action and cannot be seen as unambiguous. In addition, relying on such actions will make it difficult for controllers to provide a way for data subjects to withdraw their consent in a manner that is as easy as granting it.
The updated guidelines require website and mobile app operators to review the mechanisms through which consent is being obtained for using cookies, SDKs and other tracking technologies. Please do not hesitate to contact us if you have any questions on the practical and legal implications of the updated guidelines.
Please feel free to contact us if you have any questions regarding the effect and implications of the CCPA, including the abovementioned exemptions and their limitations.
Ariel Yosefi, Partner
Co-Head | Technology & Regulation Department
Herzog Fox & Neeman