On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic.

The guidelines remain largely unchanged from the earlier version but do provide helpful clarifications on two points: a) the validity of consent when interacting with so-called “cookie walls”; and b) “scrolling” as a means of indicating consent.

Background

Under the GDPR, a legal basis is required for the processing of personal data. Six options are available to organizations processing non-sensitive personal data, one of which is the consent of the individual. The GDPR requires such consent to be freely given, specific, informed, and unambiguous. It should also be reversible. The guidelines address what this means in practice, and how organizations can ensure that an individual has control and is offered a genuine choice when asking for their consent.

Cookie Walls

Differing SA opinion

There have been differing opinions among Supervisory Authorities (SAs) as to whether “cookie walls” are acceptable, and their use is still prevalent. Cookie walls are a form of consent that compels a website visitor to accept the use of non-essential cookies in exchange for access to the website or certain services. The UK’s Information Commissioner’s Office (ICO) has opined that cookie walls may be allowed in limited circumstances, but likely only where their use does not require users to agree to their personal data being used as a condition of accessing a service.[2] Although the ICO allows limited use of cookie walls, other regulators, including the Dutch and French, have taken a firmer stance and concluded that cookie walls are not valid under any circumstances.[3]

Clarifying the situation

The updated guidelines address how Article 7(4) and Recital 43 of the GDPR regarding freely given consent should be interpreted. The prior guidelines were clear that when consent is required to obtain a contract or service but the processing is not necessary for the provision of the contract or service, such consent is presumed to be not freely given and is invalid. However, the use of the word “presumed” in the GDPR’s Recital 43 suggests that there are exceptional cases where the controller may overcome the presumption and demonstrate that such consent is freely given and valid. The prior guidelines provided an example—where an organization offers data subjects a genuine choice between two equivalent services, one of which does not involve consenting to data use for additional purposes, then the resulting consent by the user would be valid.

The updated guidelines retain this approach, but go on to state that access to services and functionalities must not be made conditional on the consent of a user to “the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).” This statement clearly expresses the EDPB’s view that cookie walls cannot overcome the presumption that user consent is not freely given where consent to use of the service is conditioned on acceptance of the cookies.

Scrolling and Consent

The prior guidelines clarify what is meant for consent to be an unambiguous indication of wishes. Article 4(11) of the GDPR states that this may be satisfied by a “statement or clear affirmative action.” The guidelines further state that a pre-ticked box for acceptance of general terms does not constitute affirmative action, and acceptance of consent language as part of a general privacy policy acceptance is similarly invalid. The guidelines also note that a consent request that interrupts the delivery of the service and the user experience may be necessary to make the request effective, although an organization may design a consent flow appropriate for its product, including the use of physical motions (such as swiping a bar on a screen).

The updated guidelines make clear that scrolling or swiping through a webpage as a motion on a website or digital service “will not under any circumstances satisfy the requirement of a clear and affirmative action.”

Conclusion

These updates, while not unexpected, offer welcome clarification for providers of online services. The EDPB is tasked with guiding national Supervisory Authorities’ actions to ensure a more consistent application of the GDPR. As such, we can expect national approaches to cookie walls and affirmative consent to largely, over time, follow suit. However, with the UK outside of the European Union, it is unclear to what extent the ICO will differ in its approach.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.


[1] Guidelines 05/2020 on consent under Regulation 2026/679.

[2] See our blog post, The ICO Issues its Cookies Guidance: Clarified Stance and Enforcement Priorities.

[3] For the French opinion, see our blog post, The CNIL Sharpens Requirements on Deployment of Tracking Technologies.