The European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.
“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
The Guidelines now state in no uncertain terms that, in order for consent to be freely given, “access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called ‘cookie walls’)”. The EDPB then provides the following example:
A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.
This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.
Scrolling or swiping through a webpage
The Guidelines already made clear that “merely continuing the ordinary use of a website” does not satisfy the requirements for obtaining valid consent – it is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation. In basic terms, data controllers must avoid ambiguity and “must ensure that the action by which consent is given can be distinguished from other actions.” The updated guidance now provides a further example to clarify the application of these principles:
Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.