On May 4, 2020 the European Data Protection Board (“EDPB”) updated the guidelines on consent under the EU General Data Protection Regulation 2016/679 (the “GDPR”). The guidelines were originally published by the Article 29 Working Party on April 10, 2018 and later endorsed by the EDPB. The full text of the updated EDPB guidelines can be read here.
I. Speed read
The EDPB’s minimal changes to the guidelines clarify that:
- Consent provided by a data subject when interacting with a so-called “cookie wall” is not freely given and is not, therefore, valid; and
- Passive behaviours such as “scrolling” or “swiping” through a webpage will not, under any circumstances, satisfy the clear and affirmative action requirement for valid consent.
The rest of the guidelines were left unchanged (except for minor editorial changes). More information on the two substantive changes are described below.
II. Consent cannot be validly obtained via so-called “cookie walls”
The EDPB has clarified that cookie walls do not constitute valid consent, as they do not present the user with a genuine choice.
The updated EDPB guidelines now include the following illustrative explanation:
“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.”
This is in line with the position already taken by various European data protection supervisory authorities including the Autoriteit Persoonsgegevens in the Netherlands and the Commission Nationale de l’Informatique et des Libertés in France, which have stated that freely given consent cannot be obtained through a cookie walls. Additionally, the Information Commissioner’s Office in the UK has stated that a blanket approach, such as the use of a cookie wall, is unlikely to represent valid consent.
III. Scrolling and swiping are not unambiguous indications of consent
The idea that a passive behaviour (such as continuing to use a website) does not amount to valid consent, is not new. This opinion was expressed in the previous guidelines published by the Article 29 Working Party. However, the EDPB’s updated guidelines revise “Example 16” on the validity of scrolling and swiping, emphasising that such behaviours “will not under any circumstances satisfy the requirement of a clear and affirmative action”.
A side by side comparison of Example 16, as set out in the original Article 29 Working Party guidelines vs. the updated EDPB guidelines, is shown below (our emphasis added):
|Original Article 29 Working Party Guidelines||Updated EDPB Guidelines|
Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.
|Based on recital 32 [of the GDPR], actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.|
The EDPB’s updated Example 16 also highlights the fact that it will be difficult to provide a mechanism through which consent can be withdrawn in a manner that it is as easy as the way it was granted (as is required under Article 7(3) of the GDPR) where the consent was granted through scrolling, swiping or similar behaviours.
 The “Article 29 Working Party” (the Working Party established by Article 29 of the Directive 95/46/EC) is the predecessor to the EDPB. At its first plenary meeting, the EDPB endorsed the Article 29 Working Party Guidelines on consent under the Regulation 2016/679 (WP259.01) (available here).
 Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
 Article 4(11), GDPR.
 See paragraph 40 of the updated EDPB guidelines.
 In March 2019, the Dutch DPA published a statement in which it explained that data subjects have no real or free choice with cookie walls since visitors are not able to access the website without giving consent (available in Dutch here).
 See paragraph 86 of the updated EDPB guidelines.