The General Data Protection Regulation (GDPR) is a data protection and privacy regulation introduced by the European Parliament to implement data privacy laws in the European Union (EU) and European Economic Area (EEA).
It states various principles and requirements applicable to an entity, regardless of its location, that processes the personal data of people located in the EEA.
Please read our guide to GDPR to know more about the Regulation.
The European Data Protection Board (EDPB) is an independent European body established by the GDPR. It oversees the application of the GDPR throughout the EU and the EEA.
This post discusses EDPB guidelines on consent under Regulation 2016/679 (GDPR) and its relation to cookies and cookie compliance.
EDPB guidelines on consent under GDPR
On 10 April 2018, the Article 29 Working Party (now replaced by the EDPB) issued its guidelines on consent under GDPR. It discussed various elements and conditions of consent for GDPR compliance.
On 4 May 2020, the EDPB revised the document and provided further clarifications regarding:
- The use of cookie walls
- The scrolling and swiping through a webpage
Art. 4 of the GDPR gives four elements of valid consent.
- Freely given
And additional conditions for valid consent, such as
- Demonstrate consent
- Withdrawal of consent
The data subjects should not feel compelled to give consent to process their personal data.
It includes not being able to give consent because of non-negotiable terms and conditions. Any consent that prevents users from exercising their free will is invalid. For example, cookies walls (we will get into that later) ‘force’ users to accept cookies to access website content. It offers no free choice; hence it is not valid.
There are cases when the website asks for a single consent for cookies that has multiple purposes. The users may not want to agree to all of them but are forced to consent since it is bundled. It is also a violation.
You can also not force users to consent with the threat of negative consequences of them not agreeing.
Valid consent is specific.
It means there must be a specific reason(s) for asking for cookie consent. GDPR stresses upon making specific cookie consent granular. That means if the cookie has more than one purpose, users must have a choice for each of them.
Also, the information about the cookie consent must be clearly distinguishable from information about other matters.
GDPR states that consent must be informed. That is, you must provide users the necessary information about cookies before obtaining their consent. It will help them to make an informed choice.
Users should be aware of information such as what they are consenting to, the specific reason for using cookies, and how they can revoke their consent before giving their consent.
Unambiguous indication of wishes
Valid consent must be unambiguous. There must be a clear or affirmative action that indicates that the users have given their consent for the service.
The website can only load cookies if the user has actively opted in for it.
Art. 7(1) of the GDPR states that you must be able to prove that you have received valid consent.
Obtaining consent for using cookies is not enough. You must record all of the user consents. It would help to show proof of your transparency and compliance.
GDPR stresses that it is a data controller’s (website owner) obligation to show proof. You are free to use any method to log consents.
Withdrawal of consent
Art. 7(3) of the GDPR says that withdrawal of consent must be made as easy as giving it.
If a website has an easy method of asking for consent from users, it must also make it easy for them to withdraw it at any time.
For e.g., there should be a visible link, or the cookie consent banner should be easily accessible at any time to withdraw the consent. The idea is to make the process of withdrawal as easy and simple as possible, preferably in one step.
The processing of personal data (obtained via cookies) remains lawful before the withdrawal. However, once the users withdraw their consent, the website must stop using cookies immediately.
Revisions to the EDPB guidelines
Let us look at the two modifications in the guidelines in detail.
Consent via cookie walls is not valid.
A cookie wall is a popup about cookies on a website that restricts access to the website unless they accept the cookies.
It is also known as tracking walls since the cookies can track the user’s online activities for analytics and advertising purposes.
The users cannot “break the wall” unless they agree to the use of all cookies. The content of the website remains unavailable if they do not accept it. The only content they can see is the popup and information about the cookies.
The use of cookie wall has attracted negative attention from Internet users and data protection regulators since it forces users to give their consent. EDPB has clarified that consent obtained from using cookie walls is invalid. It violates the “freely given” condition for valid consent.
EDPB states that “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”
A website cannot restrict full access to its content to obtain the users’ consent to store cookies on their device. Such consent obtained via a cookie wall is invalid under GDPR since it does not give users a genuine choice.
Scrolling or swiping does not constitute consent.
The second revision to the guideline further clarifies the unambiguous nature of valid consent with an example.
“actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.”
It usually happens when users do not respond to the cookie consent banners on a website and keep browsing the page. Such “implied consent” is not valid under GDPR. It is against the unambiguous condition for valid consent.
It also violates the additional condition for consent: withdrawal of consent. The GDPR states that withdrawal of consent should be as easy as giving it. In this case, the users cannot withdraw their consent by a simple scroll or swipe, or any method since the users did not directly consent in the first place.
What does it mean for cookie compliance?
The main takeaway from the EDPB guidelines on consent for cookies is how to obtain valid consent.
To get valid consent and ensure cookie compliance, you need to take care of the following:
- Do not force users to give consent on any condition. No more cookie walls!
- Make necessary information about cookies available before obtaining consent.
- Do not bundle consent. Each consent request should be associated with a specific reason.
- Log all cookie consents you receive.
- Make withdrawing cookie consent as easy as granting it.
CookieYes for GDPR cookie compliance
CookieYes is a SaaS application that will help your website to comply with the GDPR for cookie usage. It comes with a host of features such as:
- Fully customizable cookie banner to match the look and feel of your website.
- Supports major Content Management Systems, like WordPress, Magento, Drupal, Shopify, and ImagePress.
- Automatically blocks third-party cookie scripts from Google Analytics, Facebook Pixel, Hotjar, and YouTube, prior to user consent.
- Selective enabling or disabling of different types of cookies.
- Manually add cookies scripts under different cookie categories.
- Creates a log of user consents and their preferences.
- Automatically scans for cookies on your website and add them to the cookie list.
- Supports multilingual websites with 13 widely spoken languages in the world.
Over 900,000 websites have trusted CookieYes with their GDPR compliance for cookies.