The key takeaway
The European Data Protection Board (EDPB) has updated its “Guidelines on GDPR consent” to clarify that: (a) making access to a website conditional on accepting cookies – known as “cookie walls” – does not constitute valid consent; and that (b) scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.
The background
Consent is one of the six lawful bases for processing personal information under the GDPR. For many internet users, cookie consents are an irritating and inescapable experience when browsing the web. These notices ask users to agree to being tracked when visiting a site for the first time but, are often misleadingly phrased or impossible to refuse. In an effort to make cookie consent more consensual, the EU has published these updated guidelines which make it clear that cookie walls and scrolling are not legitimate means of obtaining consent.
The guidance
“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party. They were formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines. Two important clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes”. These apply to the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping to indicate consent.
Cookie walls
“Cookie walls” make viewing content contingent on consenting to be tracked. This conflicts with the concept of giving people a free choice over whether their data is collected for potentially intrusive usage like targeted advertising. However, as the EDPB notes, if a website “puts into place a script that will block content from being visible except for a request to accept cookies” this “does not constitute valid consent” as the user is “not presented with a genuine choice.” So what this means in essence is no more cookie walls.
Scrolling or swiping through a webpage
The other key clarification in the Guidelines is to confirm that the most basic interactions with a website cannot constitute consent. Some website providers, for example, interpret simply scrolling or swiping on the page as agreeing to their tracking policies. The EDPB notes that “such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will not always be possible”. Also, if scrolling can constitute consent, it should also be capable of being used to withdraw consent. In the EDPB’s words, “in such a case it will be difficult to provide a way to withdraw consent in a manner that is as easy as granting it”.
Why is this important?
The Guidelines put beyond doubt what we have known for a long time, namely that cookie walls and scrolling or swiping are not compliant means for obtaining consent.
Any practical tips?
It’s clear that market practice has some way to go to catch up with the EDPB, with many sites still presenting all-or-nothing cookie walls that force consumers to consent or go away. Moreover, consent management platforms (CMPs) may have some way to go to reach the level of clarity being recommended by the EDPB, noting that a whole range of “dark patterns” are in play (confusingly designed user interface choices), which can mislead and coerce users, making it difficult and/or time-consuming for users to provide clear consent. A recent study found that only 11% of cookie consent mechanisms were compliant with the GDPR.
Remember that consent is not considered to be freely given if consumers are not provided the ability to give separate consent for different kinds of data processing where appropriate, including for non-essential, marketing-related data processing. Providing the user with full control over their cookie usage really is the only way ahead.
Article by RPC Oliver Bray