The EU General Data Protection Regulation (GDPR) has been in force for over two years, and there's still some disagreement about how it should be interpreted.
One of the more contentious parts of the GDPR is how it handles consent. Although the GDPR requires a "clear affirmative action" to indicate consent, many websites are still relying on cookie consent solutions that infer consent from ambiguous user actions.
The European Data Protection Board (EDPB) has put out some new guidance making it clear that merely scrolling down a webpage without clicking an "I accept" button or some similar mechanism is not an indication of consent.
In this article, we'll be looking at why the EDPB made this decision and considering what it means for your business.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
-
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
-
At Step 2, add in information about your business.
-
At Step 3, select a plan for the Cookie Consent.
-
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
<head></head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. The EDPB's New Guidelines
- 2. Summary of EU Cookie Rules
- 2.1. ePrivacy Directive: Requires Cookie Consent
- 2.1.1. Cookies Not Requiring Consent
- 2.1.2. Cookies Requiring Consent
- 2.2. GDPR: Defining Consent
- 3. How to Meet the EDPB's Requirements
- 3.1. Ensure Users Take a Clear, Affirmative Action
- 3.2. Provide a Method to Withdraw From Cookies
- 4. Summary
The EDPB's New Guidelines
In May 2020, the EDPB made some revisions to its "Guidelines 05/2020 on Consent Under Regulation 2016/679." This document is an interpretation of the GDPR's rules on consent.
The EDPB consists of representatives from each of the EU's Data Protection Authorities, plus the European Data Protection Supervisor, so its interpretation of EU data protection law is highly authoritative.
The change is relatively small but highly significant. Here's the relevant part of the guidelines:
The example states that "scrolling or swiping through a webpage or similar user activity" cannot be deemed an indication of a user's consent under the GDPR.
The EDPB's guidelines also contain a new provision on the use of so-called "cookie walls."
To understand why scrolling is not an acceptable means of obtaining consent, you need to understand a few basic tenets of EU privacy law.
Summary of EU Cookie Rules
We're going to start by giving an overview of the EU's two main privacy laws: the ePrivacy Directive and the General Data Protection Regulation (GDPR).
ePrivacy Directive: Requires Cookie Consent
The ePrivacy Directive was passed in 2002 and has been implemented into the national law of each EU country. For example, the UK (which is still currently subject to EU privacy law, post-Brexit) has the Privacy and Electronic Communications Regulations (PECR).
The ePrivacy Directive makes it unlawful to set certain cookies on a user's device without first obtaining their consent.
Here's the relevant section of the Directive, Article 25:
As you can see, the law states that "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." "Terminal equipment" means a computer or other device.
The second underlined passage states that the "methods for... offering a right to refuse or requesting consent should be made as user-friendly as possible." This is relevant to the EPDB's new guidance, as we'll see below.
Cookies Not Requiring Consent
The ePrivacy Directive doesn't require consent for all cookies.
According to Article 3 of the ePrivacy Directive, there are two types of cookies that don't require consent:
We'll call these "type A" and "type B" cookies:
- Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
- Cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"
According to an opinion of the Article 29 Working Party (the EDPR's predecessor), type "A" cookies can include load-balancing session cookies.
Type "B" cookies can fit any of the following descriptions:
- ID cookies to remember web-form data and shopping cart contents
- Authentication cookies
- Certain short-lived security cookies
- Media player (e.g. to remember a position in embedded videos)
- User-interface customization cookies
- Social media cookies (note that these cookies must only interact with users that are logged into a social network to enable them to share/"like" content).
These cookies can be processed on the lawful basis of "legitimate interests" rather than consent.
Cookies Requiring Consent
Cookies used for any purposes other than those identified above require consent.
This includes cookies used for analytics (both first- and third-party analytics) and advertising.
These cookies are ubiquitous across virtually all websites, but many (if not most) websites fail to request consent in a legally-compliant way.
GDPR: Defining Consent
The GDPR defines "consent," meaning that it requires businesses to obtain consent in a specific way.
So, where the ePrivacy Directive requires that businesses earn consent for certain activities (such as setting cookies), the GDPR dictates how businesses must go about obtaining that consent.
The GDPR's model of consent is perhaps the strictest of any privacy law in the world.
Here's how "consent" is defined at Article 4 of the GDPR:
So, consent consists of the following characteristics: it is freely given, specific, informed, unambiguous, and given via a clear, affirmative action.
Crucially, a further characteristic appears Article 7 (3) of the GDPR:
Consent must be as easy to withdraw as it is to give.
For example, where an individual consents to personalized advertising by toggling a setting "on" in an app, they must be able to easily toggle this setting "off" in order to withdraw consent.
How to Meet the EDPB's Requirements
It's easy to see why the EDPB argues that scrolling through a webpage cannot be considered an expression of an individual's consent.
Consent can only be indicated by an "unambiguous," "clear, affirmative action."
This might include ticking a box, saying "yes," signing a form, etc. It cannot reasonably involve scrolling through a webpage, as it is not possible to be certain that the user is consenting by doing this.
This part of the EDPB's new guidelines does not actually make reference to cookies. However, it has clear implications for cookie consent.
Businesses covered by the GDPR need to implement a cookie consent solution that complies with the EDPB's interpretation of the GDPR's requirements.
Ensure Users Take a Clear, Affirmative Action
You cannot assume that a user consents to cookies merely because they have interacted with your website. The EPDB's guidance confirms that this extremely common method of "obtaining consent" for cookies is incompatible with the GDPR.
A better example of how to request consent in a GDPR-compliant way comes from the website of the EDPB itself:
Note that the EDPB clearly states that "a default 'no consent' option applies" unless the user clicks "accept." The user must click "accept" in order to give consent. This is a clear indication that the user actually does accept (or consent to) cookies.
Unless and until a user consents to cookies, you must not enable cookies on their device.
Provide a Method to Withdraw From Cookies
Your users also need an easy means by which to withdraw consent.
The GDPR states that "it shall be as easy to withdraw as to give consent." In reality, users normally have to take one additional step to withdraw consent to cookies.
This is because accepting cookies usually dismisses a cookie banner. Therefore, a user will normally have to navigate to a separate page in order to withdraw consent once they have given it.
However, you can still make it easy for your users to withdraw consent. For example, you can integrate a cookie consent solution into your Privacy Policy or Cookies Policy.
Here's how the EDPB does this:
Informing your users about how to withdraw consent is a mandatory part of your Privacy Policy. So it makes sense to provide this functionality within the policy itself.
Other websites offer a more detailed set of controls via a "privacy dashboard."
Here's an example from The Guardian. At the bottom of each page on The Guardian's website, there's a "Privacy settings" link:
Click the link and you're taken to a privacy dashboard where you can accept or reject various types of cookies:
This is a great way to give users a detailed level of control over their privacy.
Summary
The EDPB's new guidelines leave very little room for interpretation. Merely scrolling down a page or using a website cannot be considered consent.
To comply with the EDPB's rules:
- Provide a cookie consent solution for any cookies that require consent under the ePrivacy Directive
- Ensure your cookie consent solution complies with each of the GDPR's elements of consent
- Provide an easy way for your users to withdraw consent
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
