Consent is one of the six lawful bases for processing personal information in the GDPR and in its updated guidelines adopted last week, the European Data Protection Board (EDPB) has made it clear that cookie walls and scrolling are not legitimate means of obtaining consent that passes muster.
The EDPB’s rationale is straightforward.
In the case of cookie walls, the EDPB stated, “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”.
It offers an example:
“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.
“This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.”
The EDPB’s updated guidelines on scrolling are even more firm than those related to cookie-walls:
“…actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.”
What this means for companies
The EDPB’s position on scrolling is clear-cut and companies using this approach to obtain consent are now on notice that they need to change. But the updated guidance on cookie walls arguably doesn’t go far enough. That’s because many if not most companies are not using all-or-nothing cookie walls that force consumers to consent or go away. Instead, the bigger issue appears to be how consent management platforms (CMPs) are obtaining consent for cookies.
Under the existing guidelines, consent is not considered to be freely given if consumers are not provided the ability to give separate consent for different kinds of data processing where appropriate. For instance, a company would arguably be required to obtain separate consent for non-essential, marketing-related data processing.
But the most widely-used CMPs employ dark patterns that make it difficult and/or time-consuming for consumers to provide separate consent. In fact, a study of the top five CMPs used on Alexa’s 10,000 websites in the UK found that just 11.8% of them were compliant with the GDRP. The researchers behind the study stated that “dark patterns and implied consent are ubiquitous”.
From this perspective, while the EDPB’s updated guidance is helpful, it just scratches the surface and does not address the more complicated aspects of continued widespread GDPR non-compliance. And it does not address the reality that unless and until GDPR enforcement actions target more complicated apparent violations, companies and the vendors they use for compliance have little incentive to change.
Of course, with third-party cookies on their way out, forward-looking companies should weigh the risks of non-compliance against the benefits of proactively rethinking their overall cookie usage strategies.