On the 4th of May 2020, the European Data Protection Board (“EDPB”) adopted the updated Guidelines 05/2020 on consent under Regulation 2016/679 (“GDPR”) in respect of valid consent. This updated guidance covers the use of cookie walls and design considerations when building consent mechanisms.
Consent as a concept is widely understood, and perhaps the most commonly known lawful basis under GDPR. Despite this, its legitimate application is often widely misinterpreted and therefore valid consent is often not attained. In this article, we will cover the key takeaways in relation to these new amendments to consent guidelines.
Over the last decade, the Article 29 Working Party and EDPB guidance on consent have continued to focus on the core concepts of valid consent, specifying that consent must be:
- Freely given;
- Informed; and
This updated EDPB guidance focuses on two areas to provide further clarifications in respect of cookie walls and user actions such as scrolling or swiping.
Consent is not valid if it is not possible to access content without clicking “Accept Cookies” before first giving the individual the ability to affirm their consent to individual cookie processing purposes. Since the data subject is not presented with a genuine choice, consent is not freely given.
In some cases, it has become a common practice to refuse or limit service due to the refusal or revocation of consent; this is categorically not permissible. Offering a genuine choice is necessary to obtain valid consent in a manner that is fair and user friendly.
Ensure that when using consent as a lawful basis that the mechanisms or procedures for providing consent are not designed in such a way that promote or dissuade the data subject’s choice. Examples of this may include where colour choices are used to promote or hide options, or where denying consent requires additional steps such as unselecting multiple consents or updating settings on a separate consent page.
Based on Recital 32, GDPR – “Conditions for Consent”, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner as easy as it was granted.
Under Article 7 (3) of the GDPR, consent must be as easy to withdraw as it is to provide. The provision of consent should not be designed in such a way that consent can be given unintentionally. As raised in the recent DPC Cookie Sweep Report, which we reported on last month, even where traditional cookie banners are in place, many still do not have any means to revoke this consent once given. This guidance is very clear and must be taken into consideration when developing applications and functionality for mobile websites but may equally be considered by all controllers when evaluating their proposed mechanisms for revoking consent.
Based upon the challenges and complexities we have observed in various industries, the key takeaways from this updated guidance can be summarised as:
- Consent is not valid where the only choice offered is affirmative consent;
- Services cannot be restricted because of denial or withdrawal of consent;
- Actions which may be difficult to distinguish by the user, such as scrolling or swiping, cannot be used to provide consent; and
- Consent must be as easy to withdraw as it is to provide.
When reviewing your processes in light of this updated guidance or reviewing consent in reference to its validity under the guidance, consider the following:
- Does this consent mechanism meet all the conditions of valid consent?
- Are we marketing? And if not, is consent the most appropriate legal basis to use?
- Can the individual say no without facing any loss of service or possible repercussions?
- How will the record of consent be maintained and verified?
- Is the consent process systematically or visually designed to influence the data subject’s choice?
In conclusion, meeting the conditions of consent and facilitating a means to withdraw consent requires a certain level of overhead to maintain. Where it is necessary for personal data to be processed, and a lawful basis other than consent can be relied upon, do not opt for consent where it is not appropriate or practical. However, for engaging with non-essential cookies for marketing purposes, valid consent must always be sought. In addition to meeting the basic conditions of valid consent, website owners and developers must consider that refusal or service or creative design to influence consent cannot be used as a workaround.
If you require additional support in developing and maintaining valid consent, please feel free to contact our Data Governance and Cyber-Risk team.
Related reading: Irish DPC updates cookie guidance on foot of cookie sweep report.