Who: The European Data Protection Board (EDPB)
Where: European Union
When: 4 May 2020
What happened:
The EDPB has published new guidelines on the notion of consent under Regulation 2016/679 (GDPR) and clearly clarifies the mechanisms of cookies consent.
These guidelines slightly update the previous guidelines issued by the Article 29 Working Party (W29) in April 2018. They are more than welcomed considering the difficulties encountered by stakeholders in relation to compliance with cookies and tracing technologies as well as discrepancies between the national data protection authorities.
The EDPB provides guidelines on the notion of consent in the GDPR and points out that the notion of consent in the ePrivacy texts remains linked to the one in the GDPR and should be considered “as a precondition for lawful professing”. Therefore tracing technologies and cookies must comply with GDPR requirements of a valid consent, i.e. be freely given, specific, informed and unambiguous.
Two points have been clarified in these guidelines:
- “cookie walls” are no longer valid. The EDPB states “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)” confirming its position taken in its statement on the revision of the ePrivacy Regulation. In other words, the user consent should not be considered as freely given if the user is forced to accept cookies in order to access to services and functionalities of a website or an app; as a lack of options would prevent such consent from being freely given.
- Scrolling or swiping through a webpage is no longer a valid expression of consent. The EDPB maintains its position that user consent given in this way would not be considered as unambiguous (i.e. given through a clear and affirmative action). In addition, the EDPB considers that it would be difficult for the user in such a case to withdraw their consent as easily as granting it.
The EDPB has also highlighted the notion of granularity of consent. This notion is closely related to the need for a a specific consent for each purpose under the GDPR.
Why this matters:
Cookies and tracking technologies are valuable tools in digital economy. Professionals have used these tools for diverse purposes such as increasing their knowledge of audiences, optimizing advertising campaigns and monetizing such knowledge. A reconsideration of the actual business model mainly based on targeted advertising and third parties cookies seems to be inevitable.
From a practical view and for now, publishers of websites and apps accessible on the European Union territory should take actions in order to ensure compliance. In particular, publishers should:
- provide transparent and granular information on cookies with an adequate cookies banner and cookies policy;
- ensure that only strictly necessary cookies are in opt-out mode;
- allow users to manage their cookies consents and change their choices (accept, refuse, personalise) or are able to withdraw their consent at any time;
- ensure that the refusal of cookies does not block the access to the online service;
- minimise third-party cookies; and
- document the consent-mechanism in accordance with the accountability principle by using a cookies consent management tool for instance.
