Europe: EDPB updates its guidelines on concept of “Consent”

By Anne-Gabrielle Haie

On 4 May, the European Data Protection Board (“EDPB”) adopted an updated version of its guidelines on consent (Guidelines 05/2020 on consent under Regulation 2016/679). Apart from some minor editorial changes, these revised guidelines clarified some important points related to the conditionality of consent and the unambiguous indication of wishes.

  1. The EDPB stated that “consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand.”. It further emphasized that “a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.”. This means that access to a service cannot be conditional to the user’s consent of the processing of his/her personal data.
  2. It further stated that “access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user”. The EDPB then presented the example of “cookie walls” that prevent users from accessing a website unless they consent to the use of cookies. According to the EDPB, such cookie walls are not compliant with the GDPR given that they do not provide a genuine choice.
  3. The EDPB stated that “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”. In other words, cookie banners stating that further browsing will be considered as acceptance of the use of cookies are not compliant with the GDPR, provided that they do not satisfy the requirement of unambiguous indication of wishes.

The EDPB’s position further complements the Court of Justice of the European Union’s analysis in the Planet 49 case (for more information, please read our analysis here). This position will certainly have an important impact on the negotiations of the draft ePrivacy regulation provided that it contradicts the Council’s position on cookie walls (see Council’s document: 6543/20).

These clarifications should be read in conjunction with the warning given by several Data Protection Authorities (See for example Ireland; Belgium; France; and UK) that enforcement actions will soon be launched. We therefore strongly advise companies to review their consent mechanisms in order to ensure that are aligned with these principles.

What does it mean for business?

Businesses must make sure that:

  • Access to their service is not conditional to the user’s consent for the processing of his/her personal data;
  • Users are provided with a genuine choice to accept or to decline the use of cookies
  • Users are not prevented from accessing the website if they decline the use of cookies;
  • Cookies are not installed until the users have genuinely provided their consent by accepting the use of cookies.

Please contact Anne-Gabrielle Haie, or your usual DLA Piper contact if you would like further assistance.