GDPR Cookie Consent: The Latest EDPB Guidelines on Cookie Walls
On 5th May 2020, the European Data Protection Board (EDPB) published new guidelines that classified the use of `cookie walls` as a GDPR violation.
Consent is one of the six legal bases for processing personal information under the GDPR. However, several companies have made it difficult for consumers to access content on their websites without giving consent to the placement of cookies on their device.
According to the EDPB, the presence of a built-in cookie walls does not constitute a genuine choice for users.
Apart from the invalidation of cookie walls under the GDPR, the fresh guidelines published by the EDPB also direct that scrolling or interacting with a website can no longer be considered as an indicator of valid GDPR cookie consent.
1.0 Elements of Valid Consent Under the GDPR
According to Article 4/11 of the GDPR, consent entails “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
From this definition, the four crucial elements of valid consent are identified. It must be:
- Freely given
- Specific
- Informed
- Unambiguous indication of the data subject`s wishes
1.1 Freely Given
This component of legitimate cookie consent signifies actual choice and control for consumers. The GDPR makes it clear that if a user is denied real choice, feels coerced, or will experience adverse results for failing to provide consent, then the consent given in these circumstances is invalid.
Similarly, if cookie consent is sought through bundling as one of the elements of non-negotiable terms and conditions, then it is not considered freely authorized.
Another circumstance under which cookie consent is considered not freely given is when a data subject is denied the opportunity to withdraw their consent without consequences.
The GDPR also makes it clear that any component of undue pressure or influence on the data subject that restricts a user from exercising their free will makes any consent provided under these circumstances non-compliant with the requirements of this data privacy law.
The different elements of inappropriate pressure or influence on users that deny the opportunity to exercise free will include;
- Imbalance of power
- Conditionality
- Granularity
- Detriment
1.1.1 Imbalance of Power
The GDPR takes into account the idea of the existence of an imbalance between the controller and the user.
Essentially, this data protection law acknowledges that if the controller is a public authority, it is highly probable that the body will depend on consent for processing consumer data.
Another key aspect to take into account in this context is the fact that in most instances, the user will not have viable alternatives to agreeing to the controller’s terms of data processing.
Another scenario where the aspect of a power imbalance can emerge between data subjects and the controller is in the employment context.
Granted the dependency that is typical of the employer/employee relationship, it is unexpected that the employee can refuse to provide consent to the employer for the processing of his/her personal information without being concerned about getting punished for the denial of consent.
For instance, it is improbable that a member of staff can deny consent freely to his/her employer for activities such as installing surveillance systems such as camera monitoring at work.
As such, the EDPB acknowledges the use of consent to process existing and future workers’ information as being complicated because consent is unlikely to be granted freely.
For this reason, the EU data protection body clarifies that for a big percentage of this kind of data processing in the workplace, the legal basis cannot and should not be the consent of the employees due to the nature of the employer/employee relationship.
Nonetheless, this provision does not imply that the use of employee consent as the basis of processing personal information should be avoided entirely by employers since specific circumstances can provide the conditions for employers to show that consent was granted freely.
Consider a scenario where a film crew is contracted to film a specific section of the workplace, and the employer requests all employees whose workstation is on the section to be filmed to give consent for this purpose, since they may form part of the background in the video. The employer can demonstrate freely given consent by not penalizing the members who do not want to be filmed in any way and offering them similar workstations in another part of the office space until the completion of the filming process.
1.1.2 Conditionality
Article 7(4) of the GDPR invalidates the bundling of consent with the acceptance of terms or conditions.
Similarly, the law also prohibits tying the provision of another contract or service that is unnecessary for the execution of the main service offered to a consent request to enable the processing of personal information.
The consent granted in such circumstances cannot be considered freely given.
To illustrate these perspectives, the case of a smartphone application for editing images that require users to have their GPS localization turned on to use its services can be used.
It is important to note that this app also informs its customers that the information being collected will be utilized for behavioral advertising reasons.
However, both geolocalization and digital behavioral advertising are not necessary for the delivery of the image editing service, which means that they exceed the provision of the core service offered to users.
The EDPB clarifies that since data subjects cannot utilize the app without providing consent to these purposes, the consent cannot be regarded as given freely.
For consent to be considered freely given, users must be allowed access to services and functionalities without being subjected to a conditional agreement to the storage of data, or access to information held in their terminal device.
This conditional consent request is commonly referred to as a cookie wall.
1.1.3 Granularity
In specific settings, it happens that a service entails several processing activities for more than a singular purpose.
In these situations, users should be granted the freedom to select the purpose they consent to, instead of having to agree to a set of processing purposes.
Consequently, consent is determined to be not freely granted in case the process of seeking consent omits the freedom for users to provide separate consent for personal information processing purposes.
The EDPB clarifies that if a controller combines various purposes for processing and failed to make any efforts to seek separate consent for every purpose, it denies users freedom.
Since the GDPR requires consent to be specific, the granularity requirement ensures that valid consent is obtained in instances where data processing is performed in the fulfillment of various purposes.
For example, a business can request consumers to provide consent for the use of their data for the purpose of receiving marketing emails and also the dissemination of their data to partner third-parties.
In such a scenario, consent is deemed as not being granular because there are no separate consents for the twin purposes, hence invalid.
1.1.4 Detriment
The EU’s data privacy law obliges businesses to show that it is possible to deny or withdraw consent without negative consequences.
For instance, controllers should demonstrate that withdrawing consent does not result in any adverse consequences for the data subject.
Other aspects of detriment comprise deception, intimidation, coercion, or notable adverse effects if a user fails to give consent.
Therefore, if the data controller can demonstrate that the service comes with the option to withdraw consent without any negative consequences such as the delivery of the service being downgraded to the detriment of the consumer, consent can be deemed to have been freely given.
1.2 Specific
Under the GDPR, valid cookie consent must be specific.
This requirement means that the consent provided by a data subject must be connected to one or more specific reasons, and that a user has a choice in relation to each one.
This requirement seeks to guarantee users a certain level of transparency and control over their data.
This obligation has not been modified by the GDPR and remains closely connected to the requirement of informed consent.
Nonetheless, it must be understood alongside the concept of granularity in obtaining valid cookie consent. Overall, compliance with the requirement of ‘specific’ consent, a data controller should provide:
- Specification of purpose as security against function creep
- Granularity in consent requests
- Clear distinction of information connected to seeking consent for personal data processing activities from information concerning other subjects.
1.3 Informed
The EU’s data protection law, the GDPR, underscores the obligation of ensuring that consent is informed.
The need for businesses to be transparent represents one of the crucial principles in this cookie law, highlighted by its close connection with the principles of fairness and legitimacy.
Making information available to data subjects before obtaining their consent is important to helping them make informed choices, understand what they are agreeing to, and exercise their right to withdraw their consent.
In case a data controller fails to provide accessible information, users are denied control. Primarily, user control becomes illusory in this circumstance, an aspect that invalidates the consent given as a basis for the processing of personal information.
1.4 Unambiguous Indication of Wishes
The EU’s General Data Protection Regulation explicitly states that valid cookie consent involves a statement from the user or clear affirmative action.
Therefore, consent must be provided through active motion or declaration.
Basically, it should be obvious beyond doubt that the consumer has agreed to that specific processing of their information.
2.0 EDPB Guidelines on the Use of Cookie Walls and Scrolling to Obtain GDPR Consent
The latest clarifications regarding valid GDPR cookie consent published by the EDPB are consistent with the decision of the Court of Justice of the European Union in the Planet49 case as well as the Dutch Data Protection Authority’s (DPA) guidelines on the same subject. More on EU Cookie Guidelines.
2.1. What is a Cookie Wall?
A cookie wall refers to the mechanism of denying users access if they do not provide consent to the installation of all cookies and trackers being used by a website.
Primarily, a cookie wall is a popup that is placed on a website to inform users about cookie use on the website without giving them the opportunity to reject the installation of cookies on their devices.
Below is an example of a cookie wall.
As such, the only way users can access content on the website is to accept all cookies and proceed.
2.2. Is there a Difference Between the terms Cookie Wall and Cookie Consent Banner?
A cookie wall is a specific kind of a cookie consent banner.
A cookie wall denies users real choice by requiring them to accept the storage of ALL cookies and trackers without offering an option to reject this placement or withdraw consent easily.
On the other hand, compliant cookie consent banners allow users to check or uncheck specific types of cookies such as promotional cookies that characteristically have several private data trackers from enterprises in the adtech industry.
Additionally, cookie consent banners allow users to access content on the website.
Below is an example of a GDPR compliant cookie consent banner;
2.3. The EDPB Clarification on Cookie Walls
Primarily, the EDPB guidelines state, “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user.”
From this provision, it is evident that the use of cookie walls is no longer acceptable.
Essentially, cookie walls deny users genuine choice since their access to content is contingent on them giving consent to the storage of all cookies being used by a website in their devices without giving them the option to either reject this placement of cookies or withdraw their consent easily.
2.4 The EDPB Clarification on Scrolling/Swiping the page
Another major change from the new EDPB guidelines is connected to the barrage of websites from determining even the most basic interaction as consent.
In this context, the EU body notes that some website platforms interpret simple scrolling or swiping on the page as a data subject consenting to their tracking policies.
However, the EDPB finds this practice illegal and states, “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”
The rationale behind this clarification is that if scrolling is equivalent to consent, it can also be applied to withdraw user consent.
Since websites do not have a mechanism of differentiating between these intentions, employing scrolling or swiping as an indicator of valid consent is inconsistent with the GDPR’s requirement of an unambiguous indication of the data subject’s wishes in obtaining cookie consent.
3.0 What the EDPB Clarifications on Valid GDPR Cookie Consent Mean for Businesses
The GDPR makes it clear that data controllers must show that valid consent was obtained before processing personal information.
For businesses to ensure that they allow clear indications of user wishes, and offer them genuine choice concerning tracking of their personal information, both operations, and IT systems require updating.
- Websites need to do away with built-in cookie wall scripts that deny users the chance to access content unless they agree to the storage of all cookies without giving them the option to reject this placement or withdraw their consent easily.
- Secondly, they should refrain from using scrolling or swiping on the page as an indicator of a user’s consent to the storage of cookies in their devices or tracking of their personal information.
- Thirdly, companies should institute a mechanism through which data subjects can withdraw their consent easily.
- Lastly, businesses need to provide adequate information to consumers regarding the use of cookies, the kind of data to be collected, the purpose of collecting this data, and how to withdraw consent.
4.0 Transferring data outside the EU
Data transfer is the process where personal data flows from one company to another, or from the user to the company. When that’s a transfer across international borders, that is an international data transfer.
Read all about the EDPB Schrems II Guidance on transferring data outside the EU..
5.0. How to Obtain Valid GDPR Cookie Consent with Secure Privacy
The EDPB guidelines make it clear that data subjects must be given clear and active choices before any cookies are installed in their devices or their information processed.
As already highlighted, cookie walls compel consumers to choose between accessing content on a website by agreeing to the placement of all cookies and trackers or leaving without their privacy being compromised.
This requirement denies users the chance to exercise their free will in consenting to the use of cookies or trackers by a website according to GDPR cookie consent requirements.
Secure Privacy can help you comply with this requirement with our ‘prior consent’ solution. The ‘Prior consent’ tool allows you to block all the cookies other than those that must be injected straight into your visitor’s computer until they agree to that.
What’s more? you can easily set it up and manage it through the admin dashboard.
For a personalized demo of our solution, schedule a call with us today and speak with a data privacy expert.
Data Privacy and Responsible AI: A Guide for DPOs
Learn how to implement responsible AI while ensuring data privacy compliance. Discover practical strategies for Privacy by Design in AI systems, data minimization, and navigating privacy regulations. Essential reading for Data Protection Officers.
- Legal & News
Vietnam's Personal Data Protection Decree: Key Insights on Data Law
Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
- Data Protection
Navigating Israel’s Data Protection Landscape: Key Compliance Insights for Businesses
Learn how Israel's Privacy Protection Law affects your business, including compliance requirements, data transfer rules, and key obligations.