EDPB Guidelines on Cookie Compliance

Last updated on July 27, 2021|Published on December 1, 2020

The European Data Protection Board (EDPB), the independent body established by the GDPR, publishes guidelines for cookie compliance and other GDPR provisions. It oversees the application of the GDPR throughout the EU and the EEA.

This post discusses GDPR’s cookie compliance requirements and the latest EDPB guidelines on consent adopted in May 2020.

Article 4 of the GDPR gives four elements of valid consent.

  • Freely given
  • Specific
  • Informed
  • Unambiguous

Article 7 gives additional conditions for valid consent.

  • Proof of consent
  • Withdrawal of consent

Freely given consent

The data subjects should not feel compelled to give consent to process their personal data. It includes not being able to give consent because of non-negotiable terms and conditions. Any consent that prevents users from exercising their free will is invalid. For example, cookies walls (we will get into that later) ‘force’ users to accept cookies to access website content. It offers no free choice; hence it is not valid. 

There are cases when the website asks for a single consent for cookies that has multiple purposes. The users may not want to agree to all of them but are forced to consent since it is bundled. It is also a violation. You can also not force users to consent with the threat of negative consequences of them not agreeing.

Specific consent

Valid consent is specific. It means there must be a specific reason(s) for asking for cookie consent. GDPR stresses upon making specific cookie consent granular. That means if the cookie has more than one purpose, users must have a choice for each of them. Also, the information about the cookie consent must be clearly distinguishable from information about other matters.

Informed consent

GDPR states that consent must be informed. That is, you must provide users with the necessary information about cookies before obtaining their consent. It will help them to make an informed choice. Users should be aware of information such as what they are consenting to, the specific reason for using cookies, and how they can revoke their consent before giving their consent.

Unambiguous consent

Valid consent must be unambiguous. There must be a clear or affirmative action that indicates that the users have given their consent for the service. For GDPR compliance, the users must explicitly give consent to use cookies on their devices.

A website cannot ‘assume’ user consent if they keep browsing the page without taking action (accept or reject cookies). Such activity (or inactivity) does not indicate that the user has agreed to the use of website cookies. The website can only load cookies if the user has actively opted in for it. 

Demonstrate consent

Article 7(1) of the GDPR states that you must be able to prove that you have received valid consent. Obtaining consent for using cookies is not enough. You must record all of the user consents. Consent records will help to show proof of your transparency and cookie compliance. GDPR stresses that it is a data controller’s (website owner) obligation to show proof. You are free to use any method to log consent. 

Withdrawal of consent

Article 7(3) of the GDPR says that withdrawal of consent must be made as easy as giving it. If a website has an easy method of asking for consent from users, it must also make it easy for them to withdraw it at any time.

For instance, the cookie consent banner should be easily accessible at any time to withdraw the consent. The idea is to make the process of withdrawal as easy and simple as possible, preferably in one step. Once the users withdraw their consent, the website must stop using cookies immediately. 

Want a GDPR Compliant Cookie Banner For Your Website?

Sign up on CookieYes and create your own fully customizable cookie banner, geo-target and auto-translate your banner to 30+ languages and record all user consents. CookieYes is live on 1 Million+ websites worldwide.

Try it for free

EDPB guidelines on cookie compliance

On 10 April 2018, the Article 29 Working Party (now replaced by the EDPB) issued its guidelines on consent under GDPR. It discussed various elements and conditions of consent for GDPR compliance.

On 4 May 2020, the EDPB revised the document and provided further clarifications regarding:

  • The use of cookie walls
  • The scrolling and swiping through a webpage

A cookie wall is a popup about cookies on a website that restricts access to the website unless they accept the cookies. It is also known as tracking walls since the cookies can track the user’s online activities for analytics and advertising purposes. 

The users cannot “break the wall” unless they agree to the use of all cookies. The content of the website remains unavailable if they do not accept it. The only content they can see is the popup and information about the cookies.

The use of cookie walls attracted negative attention from consumers and data protection regulators since it forces users to give their consent. EDPB has clarified that consent obtained from using cookie walls is invalid. It violates the “freely given” condition for valid consent. EDPB states that —

In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)

A website cannot restrict full access to its content to obtain the users’ consent to store cookies on their device. Such consent obtained via a cookie wall is invalid under GDPR since it does not give users a genuine choice.

Scrolling or swiping does not constitute consent. 

The guideline further clarifies the nature of valid consent regarding scrolling or browsing a website without consenting or dismissing a cookie notice.

Actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action”

The guidelines further explain that as continuing to use a website cannot be easily distinguished from other activities by a user, it cannot be determined that unambiguous consent has been obtained. To explain this example in the context of cookies, sometimes websites interpret a simple scroll or swipe through a website as consent to use cookies. It usually happens when users do not respond to the cookie consent banners on a website and keep browsing the page. Such “implied consent” is not valid under GDPR. It is against the unambiguous condition for valid consent.

It also violates the additional condition for consent: withdrawal of consent. The GDPR states that withdrawal of consent should be as easy as giving it. In this case, the users cannot withdraw their consent by a simple scroll or swipe, or any method since the users did not directly consent in the first place. 

What does it mean for cookie compliance?

The main takeaway from the EDPB guidelines on consent for cookies is how to obtain valid consent. 

To get valid consent and ensure cookie compliance, you need to take care of the following:

  • Do not force users to give consent on any condition. No more cookie walls!
  • Make necessary information about cookies available before obtaining consent.
  • Do not bundle consent. Cookie consent notice should have the option to give granular consent for cookie categories.
  • Provide users with an active opt-in option for cookies and only deploy cookies if they opt for it.
  • Swiping or scrolling through a web page does not constitute cookie consent.
  • Record all cookie consents you receive for proof of cookie compliance.
  • Make withdrawing cookie consent as easy as granting it.

CookieYes for GDPR cookie compliance

Cookie compliance may not look like an easy task. However, there are many solutions that will assist you in achieving it. One such cookie consent solution is CookieYes, with over 1 Million websites using it for GDPR cookie compliance.

CookieYes Cookie Consent Manager
CookieYes has a simple dashboard for all your cookie compliance requirements.

CookieYes is a SaaS application that will help your website to comply with the GDPR cookie compliance. It comes with a host of features such as:

  • Fully customizable cookie banner to match the look and feel of your website.
  • Supports all major Content Management Systems, like WordPress, Wix, Squarespace, Magento, Drupal, Shopify, and so on.
  • Automatically blocks 93+ third-party cookie scripts from Google Analytics, Facebook Pixel, Hotjar, and YouTube, prior to user consent. 
  • Selective enabling or disabling of different types of cookies.
  • Creates a consent log of user consents and their cookie preferences.
  • Automatically scans for cookies on your website and add them to the cookie list.
  • Supports multilingual websites with 30+ widely spoken languages in the world.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.