The EU General Data Protection Regulation (GDPR) has been in force for over two years, and there's still some disagreement about how it should be interpreted.

One of the more contentious parts of the GDPR is how it handles consent. Although the GDPR requires a "clear affirmative action" to indicate consent, many websites are still relying on cookie consent solutions that infer consent from ambiguous user actions.

The European Data Protection Board (EDPB) has put out some new guidance making it clear that merely scrolling down a webpage without clicking an "I accept" button or some similar mechanism is not an indication of consent.

In this article, we'll be looking at why the EDPB made this decision and considering what it means for your business.

The EDPB's New Guidelines

In May 2020, the EDPB made some revisions to its "Guidelines 05/2020 on Consent Under Regulation 2016/679." This document is an interpretation of the GDPR's rules on consent.

The EDPB consists of representatives from each of the EU's Data Protection Authorities, plus the European Data Protection Supervisor, so its interpretation of EU data protection law is highly authoritative.

The change is relatively small but highly significant. Here's the relevant part of the guidelines:

EDPB Guidelines 5 2020 on Consent under the GDPR: Example 16 - Scrolling or swiping is not clear and affirmative for consent

The example states that "scrolling or swiping through a webpage or similar user activity" cannot be deemed an indication of a user's consent under the GDPR.

The EDPB's guidelines also contain a new provision on the use of so-called "cookie walls."

To understand why scrolling is not an acceptable means of obtaining consent, you need to understand a few basic tenets of EU privacy law.

Summary of EU Cookie Rules

We're going to start by giving an overview of the EU's two main privacy laws: the ePrivacy Directive and the General Data Protection Regulation (GDPR).

The ePrivacy Directive was passed in 2002 and has been implemented into the national law of each EU country. For example, the UK (which is still currently subject to EU privacy law, post-Brexit) has the Privacy and Electronic Communications Regulations (PECR).

The ePrivacy Directive makes it unlawful to set certain cookies on a user's device without first obtaining their consent.

Here's the relevant section of the Directive, Article 25:

EUR-Lex ePrivacy Directive: Section 25 - Cookies and consent methods highlighted

As you can see, the law states that "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." "Terminal equipment" means a computer or other device.

The second underlined passage states that the "methods for... offering a right to refuse or requesting consent should be made as user-friendly as possible." This is relevant to the EPDB's new guidance, as we'll see below.

The ePrivacy Directive doesn't require consent for all cookies.

According to Article 3 of the ePrivacy Directive, there are two types of cookies that don't require consent:

EUR-Lex ePrivacy Directive: Section 3 - Transmission of Communication and strictly necessary cookies highlighted

We'll call these "type A" and "type B" cookies:

  1. Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
  2. Cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

According to an opinion of the Article 29 Working Party (the EDPR's predecessor), type "A" cookies can include load-balancing session cookies.

Type "B" cookies can fit any of the following descriptions:

  • ID cookies to remember web-form data and shopping cart contents
  • Authentication cookies
  • Certain short-lived security cookies
  • Media player (e.g. to remember a position in embedded videos)
  • User-interface customization cookies
  • Social media cookies (note that these cookies must only interact with users that are logged into a social network to enable them to share/"like" content).

These cookies can be processed on the lawful basis of "legitimate interests" rather than consent.

Cookies used for any purposes other than those identified above require consent.

This includes cookies used for analytics (both first- and third-party analytics) and advertising.

These cookies are ubiquitous across virtually all websites, but many (if not most) websites fail to request consent in a legally-compliant way.

GDPR: Defines Consent

The GDPR defines "consent," meaning that it requires businesses to obtain consent in a specific way.

So, where the ePrivacy Directive requires that businesses earn consent for certain activities (such as setting cookies), the GDPR dictates how businesses must go about obtaining that consent.

The GDPR's model of consent is perhaps the strictest of any privacy law in the world.

Here's how "consent" is defined at Article 4 of the GDPR:

EUR-Lex GDPR: Article 4 - Definition of consent

So, consent consists of the following characteristics: it is freely given, specific, informed, unambiguous, and given via a clear, affirmative action.

Crucially, a further characteristic appears Article 7 (3) of the GDPR:

EUR-Lex GDPR: Article 7 Section 3 - The right to withdraw consent easily

Consent must be as easy to withdraw as it is to give.

For example, where an individual consents to personalized advertising by toggling a setting "on" in an app, they must be able to easily toggle this setting "off" in order to withdraw consent.

How to Meet the EDPB's Requirements

How to Meet the EDPB's Requirements

It's easy to see why the EDPB argues that scrolling through a webpage cannot be considered an expression of an individual's consent.

Consent can only be indicated by an "unambiguous," "clear, affirmative action."

This might include ticking a box, saying "yes," signing a form, etc. It cannot reasonably involve scrolling through a webpage, as it is not possible to be certain that the user is consenting by doing this.

This part of the EDPB's new guidelines does not actually make reference to cookies. However, it has clear implications for cookie consent.

Businesses covered by the GDPR need to implement a cookie consent solution that complies with the EDPB's interpretation of the GDPR's requirements.

Ensure Users Take a Clear, Affirmative Action

You cannot assume that a user consents to cookies merely because they have interacted with your website. The EPDB's guidance confirms that this extremely common method of "obtaining consent" for cookies is incompatible with the GDPR.

A better example of how to request consent in a GDPR-compliant way comes from the website of the EDPB itself:

EDPB Cookie Consent Notice with Accept button highlighted

Note that the EDPB clearly states that "a default 'no consent' option applies" unless the user clicks "accept." The user must click "accept" in order to give consent. This is a clear indication that the user actually does accept (or consent to) cookies.

Unless and until a user consents to cookies, you must not enable cookies on their device.

Provide a Method to Withdraw From Cookies

Your users also need an easy means by which to withdraw consent.

The GDPR states that "it shall be as easy to withdraw as to give consent." In reality, users normally have to take one additional step to withdraw consent to cookies.

This is because accepting cookies usually dismisses a cookie banner. Therefore, a user will normally have to navigate to a separate page in order to withdraw consent once they have given it.

However, you can still make it easy for your users to withdraw consent. For example, you can integrate a cookie consent solution into your Privacy Policy or Cookies Policy.

Here's how the EDPB does this:

EDPB Cookies Policy: Consent to collecting your browsing experience including personal data for the production of anonymised statistics clause with Accept button highlighted

Informing your users about how to withdraw consent is a mandatory part of your Privacy Policy. So it makes sense to provide this functionality within the policy itself.

Other websites offer a more detailed set of controls via a "privacy dashboard."

Here's an example from The Guardian. At the bottom of each page on The Guardian's website, there's a "Privacy settings" link:

The Guardian website footer with links: Privacy settings link highlighted

Click the link and you're taken to a privacy dashboard where you can accept or reject various types of cookies:

The Guardian: Your Privacy Options - Manage data and privacy settings screen

This is a great way to give users a detailed level of control over their privacy.


The EDPB's new guidelines leave very little room for interpretation. Merely scrolling down a page or using a website cannot be considered consent.

To comply with the EDPB's rules:

  • Provide a cookie consent solution for any cookies that require consent under the ePrivacy Directive
  • Ensure your cookie consent solution complies with each of the GDPR's elements of consent
  • Provide an easy way for your users to withdraw consent

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy