In today’s tech era you’ll find that cookies and consent are hot data protection topics up for debate. Thankfully, the EDPB has recently released the EDPB guidelines to bring some much-needed clarity to the world of cookie notices.
The updated EDPB guidelines primarily speak to cookie consent. It is now clear that you cannot assume a website visitor has given consent, and you cannot block them if they don’t give it either. Having a great cookie notice is now more important than ever.
How do the updated guidelines affect your cookie notice?
On 4 May 2020, the EDPB adopted its guidelines on consent under the GDPR (Guidelines 05/2020 on consent under Regulation 2016/679). While the EDPB document is a slightly updated and edited version of the Article 29 Working Party’s guidelines, it clarifies two important questions:
- The validity of consent by a data subject when interacting with a ‘cookie wall’. Meaning that if you’re using a cookie wall, you’ll need to change it to align with the law.
- The validity of consent by a data subject by merely scrolling.
Do these changes apply to you?
Whether you are a website owner, or a data subject browsing the net, it is important to understand how these changes affect the validity of consent for the use of cookies.
Often, consent is the legal basis for processing personal data when cookies are involved. To be valid, it must be freely given, specific, informed and given by a clear affirmative action. Users often interact with these notices when they go onto a website for the first time and a cookie notice pops up. As a data controller, you must ensure each element of consent is met. You cannot force users to accept all ‘cookies’ as that does not meet the requirements for consent.
Under data protection law, you must meet a number of formalities when using cookies as a tracking technology. Amongst other things, you should make sure the website visitor can accept or block cookies that are not essential to the functioning of your website. For instance, users need to be aware that you are tracking them throughout the internet for marketing purposes. This is done through a cookie notice or banner upon first entry to your website. The visitor can then opt to give their consent or not. If they choose not to give their consent, you cannot block them from using your website.
So what has changed?
The EDPB clarifies two important questions regarding cookies:
Cookie walls
Cookie walls are notices or banners that prevent a user from accessing a site without providing consent. Without positive consent, the user would not be able to access the site at all.
According to the EDPB, this speaks to the definition of consent. When the user has no option but to give consent to access the site, there cannot be truly, freely given consent. This is because of a lack of any alternative choice.
This decision by the EDPB runs in line with the previous Planet 49 decision of the Dutch court.
Assumed consent
The EDPB also makes a second point on what is acceptable in meeting the definition of consent. Here, it contends that controllers cannot assume consent where a website user makes no indication at all. This would often be the case where the website visitor merely closes the notice or continues using the site without deciding on an option.
Actions such as scrolling or swiping through a website do not satisfy the definitional element of clear and affirmative action.
The EDPB also contends that in this scenario, it would be difficult to provide the user with a way to withdraw consent in an easy manner.
What does this mean for you?
We think this brings some important clarification to issues previously left in the dark. It gives us, and you, a great indication of regulatory authority expectations, and the website visitors placing trust in your hands.
It highlights a key mechanism of helping you comply with data protection law and protecting data subjects’ rights. This mechanism is data protection by design. Upon entry, you should gear your website towards allowing data subject to give permission to your use of cookies.
This means you should have a great, informative cookie banner and notice, with enough control options for the user to give their affirmative consent. Only necessary or essential cookies don’t need the user’s consent.
Not only will this help you comply with certain obligations of data protection law, but it will also let you uphold the rights of data subjects that give you a certain amount of trust. We see this as a quick win to gain trust and fulfil some of your duties to your data subjects.
How can we help you?
- Find out more about internet cookies and implement a cookie notice and cookie policy yourself by joining the Michalsons data protection programme.
- Have a compliant cookie policy, cookie banner or notice, by asking Michalsons to draft and implement them for you.
- Update your existing cookie notice and cookie policy by asking Michalsons to review and update them for you.
- Make sure your website is data protection compliant by asking us to conduct a website audit for you.