Cordery

Legal.Compliance.

European Data Protection Board GDPR & Consent Guidelines – Cookie Walls & Scrolling/Swiping

Introduction

The European Data Protection Board (‘EDPB’) recently issued guidelines that revise the previous EU WP29 guidelines about consent under GDPR entitled ‘Guidelines 05/2020 on consent under Regulation 2016/679’ (‘the guidelines’). This article looks at the key revision clarifications, which concern ‘freely given consent’ and ‘cookie walls’, and ‘scrolling/swiping’.

What’s this all about?

Under GDPR consent is one of six legal bases for processing personal data. GDPR states that for consent to be legally valid it must be freely given, specific, informed and unambiguous.

A cookie is a small text file that is downloaded onto a device such as a computer or smartphone when a user accesses a website. The cookie allows the website to recognise that user’s device and store information about the user’s preferences or past actions. In order to comply with E-Privacy rules a person’s consent must be obtained to store a cookie on their device. Commonly used mechanisms to obtain cookie consent include message boxes such as banners, pop-ups, message bars and header bars. A so-called ‘cookie wall’ requires users to agree or accept the setting of cookies before they can access an online service’s content/website.

What do the guidelines say?

There are two key clarification revisions in the guidelines – apart from that the previous EU WP29 consent guidelines are unchanged, except for some editorial changes. In sum, the two new points of guidance are that, according to the EDPB:

  • ‘Cookie walls’ are not compliant with GDPR consent requirements; and,
  • Actions such as scrolling or swiping through a webpage do not constitute valid consent under GDPR.

The detailed considerations in the guidelines concerning the issue of ‘freely given consent’ and ‘cookie walls’ are set out in paragraphs 38-41 as follows:

  • 38: “The EDPB considers that consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. Hence, using this argument means a consent relying on an alternative option offered by a third party fails to comply with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent”;
  • 39: “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”;
  • 40: “Example […]: A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given”;
  • 41: “This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice”.

The detailed considerations in the guidelines concerning the issue of ‘consent mechanisms’ and ‘scrolling/swiping’ are set out in paragraphs 84-86 as follows:

  • 84: “Controllers should design consent mechanisms in ways that are clear to data subjects. Controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”;
  • 85: “Example […]: Swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g. if you swipe this bar to the left, you agree to the use of information X for purpose Y. Repeat the motion to confirm.”[sic]). The controller must be able to demonstrate that consent was obtained this way and data subjects must be able to withdraw consent as easily as it was given”;
  • 86: “Example […]: Based on recital 32 [of GDPR], actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it”.

What can I do to ensure cookie compliance?

Check your cookie consent mechanisms and revise them as necessary to ensure that:

  • Your business has implemented a consent mechanism that allows users to control the setting of all cookies that are not strictly necessary for website functionality;
  • Your consent mechanism ensures the consent you obtain is in line with GDPR; and,
  • You are keeping records of cookie consent for an appropriate period of time.

An option to consider instead of using a ‘cookie wall’ would be to set up a message box such as a banner that doesn’t prohibit access to the service being provided and/or the website.

Whilst you’re at it why not also check your existing cookies policy and amend it as appropriate to ensure that:

  • You provide clear and easy to understand information about the cookies you use; and,
  • Your information is comprehensive and covers all the cookies you use.

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:

  • Detailed guidance on the security aspects of GDPR in paper and on film;
  • A template data breach log;
  • A template data breach plan; and,
  • A template data breach reporting form.

For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/

The European Data Protection Board’s guidelines can be found here: edp_guidelines_202005_consent_en.pdf.

We have written about the ICO’s guidance on cookies here https://www.corderycompliance.com/ico-cookies-guidance-faqs/. We have also written about the European Court ruling in the Planet49 GmbH German case which rejected pre-ticked boxes as a valid means of cookies consent here https://www.corderycompliance.com/ecj-cookies-consent-ruling/. We have also written about the proposed changes to the E-Privacy rules and cookies here https://www.corderycompliance.com/client-alert-eu-privacy-reg-proposed-amends-metadata-cookies-legitimate-interests-consent/.

We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.