News & Insights

Cookies – do you consent?

Ross Brymer considers the revised guidelines adopted by the European Data Protection Board (EDPB) on consent in the context of cookie walls and web pages.

Websites should obtain consent before conducting the processing activity being consented to, but sometimes this can feel like a box ticking exercise.

On 4 May 2020 the EDPB adopted the Guidelines 05/2020 under Regulation 2016/679 (better known as the GDPR). The new guidelines largely mirror the previous ones but there are some updates which help to clarify what is valid consent in the context of websites, particularly “cookie walls”.

The first update (guideline 3.1.2) reminds us that consent must be freely given. The EDPB has provided a new example 6a that confirms if a data controller erects a cookie wall (for example to restrict access to certain content unless the “accept cookies” button is clicked), the data subject is not presented with a genuine choice and consent will not be properly given.

The second update (guideline 3.4) reminds us that consent must be unambiguous. In other words, the data subject must express his wishes through be a clear affirmative act/motion/declaration. A new example 16 has been provided which states that actions such as scrolling or swiping through a website will in no circumstances satisfy this test. These actions are too difficult to distinguish from other website interactions and often contrast very starkly with the more difficult process which has to be followed to withdraw consent.

The positive action should also protect against the risk of “click fatigue” where data subjects receive multiple requests for consent during a short period resulting in the request not being properly read and diminishing the effectiveness of the consent mechanism.

The updates provide greater protection to data subjects, bringing the guidelines in line with recent decisions of the European Court of Justice and ICO guidance that accepting cookies must be a positive, specific action on behalf of the data subject.

They come at a time when internet use is at an all-time high, allowing data subjects to feel more secure when browsing the web. Businesses should review their cookie consents to ensure they remain compliant with the updated EDPB guidance. It might be sensible to review your privacy policy at the same time in case any updates need to be made in light of the guidance or more generally.

If you have any questions about the contents of this article or data protection more generally please do not hesitate to email me at [email protected].