May.13.2020
On May 4, the European Data Protection Board (“EDPB”)—an independent body which ensures that the General Data Protection Regulation (“GDPR”) is consistently applied within the EU—has updated its guidelines on consent under the GDPR, clarifying its requirements regarding the GDPR compliant use of cookies on a website.
In one of our earlier articles, we explained in detail that according to an October 2019 judgement of the Court of Justice of the European Union (“CJEU”), the use of cookies, which are not absolutely necessary for the operation of a website, always requires the prior consent of the users.
In light of this judgement, many companies felt the need to restructure the use of cookies on their website, e.g., with new cookie banners, in order to comply with the GDPR requirements. Due to the updated guidance, there is now again a need for action.
Cookie Walls
As an initial matter, the EDPB makes clear that so called cookie walls are not permitted.
Cookie walls, sometimes called tracking walls, are scripts put into place by a website service provider that block content from being visible except for the request to accept cookies and a description of what data the cookies will collect and process. Without clicking on an “I accept cookies” button, there is no possibility to access the content. These walls are often used by website operators so that they do not necessarily have to provide their content without any kind of consideration (revenue through advertising and tracking).
The EDPB takes the view that clicking on the “accept cookies” button does not constitute effective consent. According to the EDPB, the user is forced to accept tracking by the website operator if he wishes to use the services offered such that the user is not presented with a genuine choice.
For companies, the question now arises whether this prohibition applies in full or whether cookie walls are allowed in certain cases. Even before the publication of the EDPB’s opinion, the Information Commissioner’s Office in the United Kingdom (“ICO”) was of the opinion that cookie walls would not be allowed in most cases. However, it makes it clear that the rights under the GDPR are not absolute but have to be weighed against the business interests of the website operators in each individual case.
The EDPB takes up this principle by stating that consent is still voluntary if the provider of the service offers an equivalent alternative service that does not depend on consent to data processing for further purposes, e.g., tracking. However, it is mandatory that the provider of the service is the same.
In other words, cookie walls are exceptionally permissible if the same provider offers a comparable service without tracking, for example, as a paid service. This could be, for example, a newspaper where the content is alternatively available for a fee.
For companies that also offer their services for payment, this is a sensible solution because without revenue generated by advertising or tracking cookies, they would have to offer their services, which they otherwise offer for payment, free of charge. However, this prohibition poses challenges for providers without such a second distribution channel.
There is thus a well-founded hope that the supervisory authorities will not consider cookie walls to be unacceptable in every case. However, companies are wise to now evaluate whether such an exception could possibly apply to them and weigh up the risks involved.
And while the opinions of the EDPB are not binding, they have a major influence on the interpretation of the GDPR and national supervisory authorities either already took that view (ICO or the Dutch Autoriteit Persoonsgegevens) or chose to support this position of the EDPB (Federal Commissioner for Data Protection and Freedom of Information, Germany).
Scrolling and Consent
Secondly, the EDPB felt that there was an additional need for clarification regarding the issue of scrolling and consent.
The EDPB is very clear that scrolling on a website cannot be interpreted as consent. The Guidance states that actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.
The EDPB states that it is impossible to distinguish mere scrolling from other activities or interactions by a user. Thus, the controller cannot demonstrate that an unambiguous consent has been obtained. Additionally, the EDPB highlights difficulties with withdrawing consents obtained by scrolling in a manner that is as easy as granting it.
This clear guidance emphasizes the imminent need to implement a cookie banner that meets the GDPR requirements. Website operators still trying to drop tracking cookies the moment a site visitor scrolls the page are risking regulatory enforcement. As outlined in a previous article, supervisory authorities have already started to fine companies for noncompliant cookie banners.
Takeaways