The European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.
Updated Guidelines
“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
Cookie walls
The Guidelines now state in no uncertain terms that, in order for consent to be freely given, “access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called ‘cookie walls’)”. The EDPB then provides the following example:
A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.
This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.
Scrolling or swiping through a webpage
The Guidelines already made clear that “merely continuing the ordinary use of a website” does not satisfy the requirements for obtaining valid consent – it is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation. In basic terms, data controllers must avoid ambiguity and “must ensure that the action by which consent is given can be distinguished from other actions.” The updated guidance now provides a further example to clarify the application of these principles:
Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
Comment
These clarifications should be welcomed by website operators and other organizations which are using cookies. Requesting a website visitor to engage with a cookie policy by accepting, rejecting or managing cookies is one thing. Making access to a website conditional on accepting tracking cookies is quite another. Yet an internet user doesn’t have to browse far before landing on a site which does just that. Whether or not that user “accepts” the site’s cookies and its terms of processing on that basis, the placing of those cookies on the user’s device and the collection and processing of personal data resulting from it will be unlawful under the e-Privacy Directive 2002/58/EC and the GDPR. The extent to which the EDPB’s clarifications will deter such practices, however, remains to be seen. As regards scrolling, if it wasn’t clear already, it is now. This can never constitute consent because it cannot, as an otherwise “ordinary” action, constitute a “clear and affirmative action.” Moreover, consent must be capable of being revoked as easily as it is given. Hard to envisage what that could consist of if consent were achievable with a simple scroll or swipe.