The Guidelines, adopted on 4 May 2020, constitute a slight update to those it endorsed in 2018 as prepared by the Article 29 Working Party (the predecessor to the EDPB), in 2 areas:
- conditionality of consent; and
- unambiguous indications of wishes.
These areas are particularly relevant in relation to online services and obtaining consent under ePrivacy legislation for cookies and other tracking technologies.
Conditionality of consent
In order for consent to be valid under GDPR, it must satisfy the definition given in Article 4, together with the requirements set out in Article 7.
One fundamental feature under Article 4 is that consent is "freely given". Further information is given in the Recitals, that when assessing whether consent meets this standard, "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract".
Further, consent "is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance".
This requirement can be addressed by ensuring that consent is unbundled and granular. In other words, making sure the provision of something to an individual (e.g. a service) is not dependent on consent given for something else unrelated.
One area that has led to questions is the use of cookies and tracking technologies on websites. Under the ePrivacy Directive, prior consent is required for any non-essential cookies. Whether consent is valid is determined in accordance with GDPR.
In the updated Guidelines, the EDPB explains how to ensure consent is freely given in the context of a "cookie wall" on a website by including a new example:
Example 6a: A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the "Accept cookies" button. Since the data subject is not presented with a genuine choice, its consent is not freely given,
In the guidance around the example, the EDPB firstly confirms the WP29 position that consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. The reason for this is that the freedom of choice is dependent on what other market players do and whether an individual data subject would find the other controller's services genuinely equivalent.
Unambiguous indication of consent
Another fundamental feature of valid consent, under Article 4 is that the consent obtained represents an "unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data". Under Article 7, it must also be as easy to withdraw consent as it is to give consent.
In the updated Guidelines, the EDPB has amended one of the previous examples to clarify what this means, and looks like:
Example 16: Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it."
By making amendments to this example, the EDPB is taking the opportunity to stress that providing consent by scrolling or swiping on a webpage result will never constitute valid consent. –Relying on scrolling or swiping means it will not be possible for the controller to ascertain whether the consent was unambiguous, and there is, in the EDPB's view, no way of providing the user with an equally easy way of withdrawing consent.
More information
You can find the EDPB's updated guidance on consent at https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en
If you rely on consent for any processing operations in your organisation and would like further advice on ensuring compliance with GDPR and these Guidelines, or if you would like a review of your consent mechanisms, please get in touch.
Contributor
Associate