The European Data Protection Board Issues Updated Guidelines on Consent under the GDPR

On May 4, 2020, the European Data Protection Board issued Guidelines 05/2020 on Consent under Regulation 2016/679 (GDPR).  The document is a slightly updated version of the Article 29 Working Party Guidelines on consent issued on April 10, 2018, and endorsed by the EDPB at its first Plenary meeting.

The latest version of the Guidelines includes clarifications regarding two issues:  the validity of consent provided by the data subject when interacting with the so-called “cookie walls” and the “scrolling and consent.”  Although the GDPR does not specifically regulate cookies (it will be the forthcoming ePrivacy Regulation), the notion of consent in the draft ePrivacy Regulation is linked to the notion of consent in the GDPR.  The organizations will likely need consent under the ePrivacy instrument for most online tracking methods including the use of cookies.

Generally, under the GDPR, consent can only be an appropriate basis for processing personal data if a data subject is offered control and a genuine choice regarding accepting or declining the terms offered or declining them without detriment.  According to the EDPB, in order for consent to be freely given, access to service and functionalities must not be made conditional on the consent of a user to the storing of information or gaining access to information already stored, in the terminal equipment of the user (the so-called cookie walls).   Thus, where a website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set, and there is no possibility to access the content without clicking on the “accept cookies” button, the data subject is not presented with a genuine choice and the consent is not freely given under the GDPR.

Further, the EDPB clarified that actions such as scrolling or swiping through the webpage will not satisfy the requirement of a clear and affirmative action by the user required for a valid consent because such actions may be difficult to distinguish from other activity or interaction by the user.  Accordingly, determining whether an unambiguous consent has been obtained will not be possible.  On the other hand, physical motions such as swiping a bar on the screen or waiving in front of a smart camera might be sufficient to indicate consent, as long as clear information is provided and it is clear that the motion in question signifies agreement to a specific request.

Notably, consent remains only one of six lawful bases to process personal data under the GDPR.  Where consent is not specifically required, a controller should always consider whether other grounds for processing, such as performance of the contract, are applicable in light of the purpose of the processing activity.  If a controller seeks to process personal data that is in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis under the GDPR.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653