On May 4, 2020, the European Data Protection Board (EDPB) adopted updated guidelines on consent under the General Data Protection Regulation (GDPR), in Guidelines 05/2020. The Guidelines clarify existing guidance issued in 2018 about whether consent would be freely given when consent is required to access a service (including websites) and whether scrolling through a website could be a clear and affirmative act demonstrating unambiguous consent. Guidelines 05/2020 follow a series of opinions and guidance issued by the European Court of Justice and European data protection authorities over the last year on the subject of cookies, consent and other bases for processing personal data under the GDPR. Therefore, companies that rely on consent—including those that relied on the GDPR’s necessary-for-contract basis for online services before the EDPB issued guidelines about that basis in October 2019—when offering a website to EU users or applying cookie consents worldwide should reassess their consent practices and mechanisms. To read Guidelines 05/2020, click here.
Why it matters
Under the GDPR, companies should have at least one of the six bases listed in Article 6 to process personal data. One of those is consent, which GDPR Recital 32 explains is “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication.” As for the ePrivacy Directive, a company or other website operator may only rely on consent before storing information, like cookies, on a user’s computer, smartphone or any other “terminal equipment.”
With regards to the requirement for consent to store information like cookies on users’ computers, last year, member state data protection authorities (such as France’s CNIL and the Netherlands’ Autoriteit Persoonsgegevens) and the European Court of Justice issued opinions and guidelines addressing consent requirements for cookies under the GDPR and the ePrivacy Directive. As read by the EDPB and other European regulators, the ePrivacy Directive requires website operators to receive a website visitor’s consent before storing non-necessary cookies on that visitor’s computer (although what constitutes a non-necessary cookie is subject to interpretation and context). That reading has led in part to website operators’ use of cookie walls (which prevent access to a website unless a user accepts all cookies) and cookie banners (which appear on the side or bottom of websites). Guidelines 05/2020 provide additional clarity to companies about how they should present consent for cookies to visitors from the EU, including around cookie walls and cookie banners.