The European Data Protection Board (“EDPB”) has adopted on 4 May 2020 their latest Guidelines 05/2020 (the “Updated Guidelines”) on consent under the EU Regulation 2016/679 (“GDPR”).
As a reminder, under GDPR, a data controller is only allowed to process the data of a data subject if certain conditions are met, one of them being when the data subject has given his/her explicit consent.
However, there have been discussions as to the very notion of “explicit consent”. The question is of importance, since consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.
GDPR defines consent as “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11) GDPR).
The Updated Guidelines are an updated version of the previous Guidelines adopted by the Article 29 Working Party on 10 April 2018 which were later endorsed by the EDPB.
The main clarifications in the Updated Guidelines were brought regarding the questions related to cookie walls” and the issue regarding scrolling and consent.
- Cookie walls
GDPR indicates that, among others, bundling consent with acceptance of terms or conditions or tying the provision of a contract or a service to a request to consent to process personal data that are not necessary for the performance of that contract or service is considered highly undesirable. If consent is given is such way, it will be presumed as not having been given freely and it will therefore not be a lawful basis for a data controller to process data of a data subject.
The question was therefore raised whether a data controller was allowed to restrict access to their website subject to the acceptance of cookies. Such cases arises for example, if a data controller blocks content of his website, unless the data subject clicks of the “Accept cookies” button.
The Updated Guidelines confirm that access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).
2. Scrolling and consent
The Updated Guidelines remind that the GDPR is clear that consent requires a statement from the date subject or a clear affirmative act, which means that it must always be given through an active motion or declaration. While the Updated Guidelines mention that the best “clear affirmative act” would be a written statement given by the data subject(e.g. letter or e-mail), it also admits that such formal way of giving consent might often not be realistic.
The Updated Guideline confirms that the active ticking of an optional (non pre-ticked) opt-in box mentioning “I consent” can be considered as a “clear affirmative act” to consent to the processing (Updated Guideline Example 14 paragraph 80).
Nevertheless, the Updated Guidelines indicate that data controllers have the liberty to develop a consent flow that suits their organization and physical motions may qualify as a clear affirmative action under GDPR.
Continuing the ordinary use of a website, is not considered as a clear affirmative act, as it cannot be distinguished from other actions.
Physical motions that may qualify as such may include (Updated Guidelines Example 16):
- swiping a bar on a screen,
- waiving in front of a smart camera,
- turning a smartphone around clockwise or in a figure eight motion
However, the Updated Guidelines consider that scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of “clear and affirmative action” as they may be difficult to distinguish from other activities or interaction by a user.