The European Data Protection Board (EDPB) has published updated Guidelines 05/2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on: (i) data subject consent in relation to cookie walls (which are not allowed), and (ii) scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.
The EDPB clarifies that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent to the use of their data for additional purposes. In order for consent to be “freely given”, as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment (i.e. device) of a user (so-called cookie walls).
The EDPB provide the example of a website provider who puts in place a script that will block content from being visible, except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice to accept or reject cookies, its consent is invalid, as it has not been freely given.
Unambiguous indication of wishes
The EDPB also confirms that scrolling or swiping through a webpage, or similar user activity, does not constitute clear affirmative action that meets the conditions for valid consent under the GDPR. Such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will not be possible. In the EDPB’s view, this practice also does not allow for easy consent withdrawal, and would therefore not be in compliance with the GDPR.