New EDSA guidelines on cookie acceptance on websites

On May 5, 2020, the European Data Protection Board (EDPB) published guidelines on how to deal with consent under the GDPR. The EDPB’s approach is largely based on an earlier working paper of the Article 29 Working Party. Dr. Oliver Hornung and Dr. Elisabeth von Finckenstein inform.

The preface to the guidelines points out that this update is intended to provide legal clarifications, specifically regarding two questions:

• The validity of consent given by the data subject when interacting with so-called “cookie walls”;
• The presumed consent given by scrolling on a webpage.

The updates to the previous working paper of the Article 29 Data Protection Working Party mainly concern the amendments to the guidelines in paragraphs 38 to 41 on the generic term of “conditionality” and paragraph 86 on the issue of “unambiguous indication of wishes.”

Conditionality

   
The EDPB pays particular attention to the assessment of whether consent is freely given, while following a very restrictive understanding of this concept. Any inappropriate influence upon data subjects which prevents them from exercising their free will, renders the consent invalid. Apps, for example, may not make their use conditional on consent to the collection and use of personal data not necessary for the provision of the app’s services.

Cookie walls

   
The EDPB also addresses “cookie walls,” a procedure that requires users of an online offering to accept cookies to access services and functionalities. Cookies are used for the processing of personal data, such as the IP address. Not every placing of cookies requires consent (e.g., technically necessary cookies), but where the purpose of the processing is tracking/retargeting, consent must be obtained in advance, according to opinions expressed by data protection authorities in the past. The Bavarian State Office for Data Protection Supervision takes this view even with respect to the use of Google Analytics.

The EDPB states that access to a web service must not be made conditional on the consent of a user to accept cookies. If consent is given in this situation, it is presumed to be not freely given, as also already stipulated in GDPR recital 43.

No implied consent by scrolling

   
In the view of the EDPD, the presumed consent by merely swiping through a webpage or scrolling does not, under any circumstances, satisfy the requirement of a clear and affirmative action. This follows from GDPR recital 32, according to which consent should be given by a clear affirmative act.

Federal Commissioner for Data Protection and Freedom of Information welcomes the EDPB guidelines

   
As a member of the EDPB, the Federal Commissioner for Data Protection and Freedom of Information Prof. Ulrich Kelber supports the new guidelines:

”There are still websites that impose tracking on users by way of their design. The updated guidelines make it clear yet again that consent cannot be forced. Most cookie walls and the presumption that swiping on a webpage or similar activity means consent, contradict the aspect of freely given consent and violate the General Data Protection Regulation. I would like for data controllers to draw the right conclusions and finally offer data protection-friendly alternatives".

Tip for use in practice

   
The current EDPB guidelines are a summary and clarification of GDPR interpretation by data protection supervisors and do not represent a paradigm shift. Rather, they set out the self-evident principles that website operators need to comply with.

The current EDPB guidelines again provide clarity on the design of cookie banners and clearly show that it is not permitted under data protection law to circumvent GDPR requirements. The issues addressed in the current guidelines, “cookie walls” and “conditionality,” i.e., consent presumed by use of/scrolling on a webpage, are two frequently encountered designs where website operators obtain the user’s implied consent to legitimize the tracking of website users under data protection law.

In the near future, the question will arise whether the current EDPB guidelines lead to significantly more legally compliant consent when accessing websites. A number of cookie banners with consent solutions continue to be inadmissible under data protection law and do not comply with the requirements of the European and German data protection supervisory authorities. This may also be due to the fact that, until 2019, the supervisory and monitoring activities of those authorities have focused on advising and supporting companies. This will come to an end, however, in 2020. The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate presented his concept for effective enforcement of data protection and the 2020 action plan on May 5, 2020. An increased number of random checks and website assessments are on the State Commissioner’s agenda.

It is to be expected that further state data protection supervisory authorities will also present their 2020 action plans shortly. We will present the concept for effective enforcement of data protection in Rhineland-Palatinate and its 2020 action plan in a separate article.