EU: EDPB adopts updated guidelines on consent under the GDPR
The European Data Protection Board ('EDPB') adopted, on 4 May 2020, its Guidelines 05/2020 on Consent under Regulation 2016/679 ('the Guidelines'). In particular, the Guidelines represent a slightly updated version of the Article 29 Working Party's Guidelines on Consent under Regulation 2016/679 ('the WP29 Guidelines'), which were endorsed by the EDPB in its first plenary meeting.
Specifically, the Guidelines, which should from now on replace any reference to the WP29 Guidelines, outline that there was a need for clarifications on the following points:
- the validity of consent as provided by data subjects when interacting with 'cookie walls;' and
- the action of scrolling or swiping through a webpage, or similar user activity, as a clear and affirmative action of consent.
Conditionality as an element of a freely given consent
The Guidelines provide for two main recommendations:
- service providers cannot prevent data subjects from accessing a service on the basis that they do not consent; and
- 'cookie walls' are not permitted: access to services and functionalities must not be made conditional on the consent of users to the placement of cookies or similar technologies on their terminal equipment.
In particular, the Guidelines provide that, when data controllers offer a choice between their service, that includes consenting to the use of personal data for additional purposes, and an equivalent service offered by a different controller, consent cannot be considered as freely given. In fact, the Guidelines explain that in such a case, the freedom of providing consent would be made dependent on what other market players do and whether data subjects would find the other data controller's services equivalent. In addition, in such circumstances, data controllers would have to necessarily keep monitoring market developments in order to ensure the continued validity of consent for their data processing activities, as competitors may alter their service at a later stage.
As a result, the Guidelines provide that a consent that relies on an alternative option offered by a third party must be deemed in violation with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The Guidelines offer the example of a website provider putting into place a script that blocks content from being visible, except for a request to accept cookies and the information on which cookies are being set and for what purposes data will be processed. In such a case there is no possibility to access the content without clicking on the 'accept cookies' button, meaning that the data subject is not presented with a genuine choice. Therefore, consent is not freely given, and cannot be deemed valid, as the provision of the service relies on the data subject consent to the placement of cookies.
Consent as an unambiguous indication of wishes
The Guidelines highlight that consent under the GDPR must always be given through an active motion or declaration, and that It must be obvious that the data subject has consented to the specific processing activity.
Therefore, the Guidelines, in accordance with Recital 32 of the GDPR, find that scrolling or swiping through a webpage, or similar user actions, will not in any case constitute a clear and affirmative action, since it may be difficult to distinguish such behaviours from other activity or interaction of the user. Thus, the Guidelines provide that in such a case determining that unambiguous consent has been obtained will not be possible, and that it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
Matteo Quartieri Privacy Analyst