EDPB’s Updated Guidelines on Consent

Consent Requirements under the GDPR and the e-Privacy Directive:

As per Article 4(11) of the GDPR, consent of a data subject should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The same standard of consent also applies to consent under the e-Privacy Directive. The e-Privacy Directive requires organizations to provide “clear and comprehensive information” about the purposes of the processing to users before processing cookies and an opportunity to refuse any such processing. Similarly, the GDPR requires data controllers to provide information to the users consisting of at least the controller’s identity, the kind of data that will be processed, how it will be processed, and the purposes of the processing.

Consent Requirements established by the CJEU in Planet49 case:

On October 1, 2019, the CJEU issued an important decision about consent requirements in relation to the processing of cookies. The case pertained to a German website that organized a promotional lottery online. In order to participate in the promotional lottery, users were required to provide their names and addresses and beneath the input fields for the addresses, there were two explanatory text boxes accompanied with checkboxes. Amongst them, one checkbox was pre-selected for the users and the participation in the promotional lottery was conditional on at least the selection of the first checkbox. While going through the relevant requirements under GDPR, e-Privacy Directive, and EU Regulation 2016/679, the CJEU made the following important conclusions, among others:

• Pre-selected checkboxes are not valid consents as such consents are not specific or free. Pre-selected checkboxes do not indicate any active consent of data subjects and such form of passive behavior by the data subjects is not deemed to constitute valid consent.
• The requirement to provide “clear and comprehensive information” to users before processing of cookies includes providing information pertaining to the duration of the operation of cookies, whether or not third-parties may have access to cookies, and the purposes of the processing of cookies.

EDPB’s updated Guidelines on Consent:

The EDPB’s updated Guidelines reaffirms that consent is one of the six lawful bases to process personal data as listed under Article 6 of the GDPR. These Guidelines complement the CJEU’s decision in the Planet49 case that clarified that cookie consent must be specific and active. In the Guidelines, the EDPB interprets the elements of consent as defined by the GDPR as follows:

• Freely given:
  “Freely given” consent implies real choice and control for data subjects. The EDBP clarifies that access to a service or functionalities cannot be made conditional on a data subject’s consent to the processing of his or her personal information. Through this interpretation, the EDBP has put an end to cookie walls and upheld the idea that access to a service cannot be made conditional on users’ consent to the processing of cookies.

  Moreover, refusal or withdrawal of consent should be made as easy and straightforward as giving consent and without any detriment to the data subject, for it to be considered a freely given consent. The EDPB explains that data controllers should allow similar mechanisms for withdrawal of consent as that of giving consent. This means where consent is obtained through a service-specific user interface, the data subject must be able to withdraw consent via the same electronic interface. For example, if consent is obtained through online ticketing, the data subject must be able to withdraw his or her consent via the same online ticketing process and not via telephone call or some other mechanism.

• Specific:
  “Specific” consent implies “granularity”, i.e. specific and separate consents should be obtained for separate purposes of the processing. This means data controllers are required to provide specific information to data subjects with each separate consent request about the data that are processed for each purpose. As per the Guidelines, the controller must apply the following to ensure that consent is specific.
  1. Purpose specification as a safeguard against function creep: This requirement serves as a protection against blurring of different purposes of processing of data;
  2. Granularity in consent requests: The data controllers must acquire users’ consent for each new purpose of the processing of data; and
  3. Clear separation of information related to obtaining consent for data processing activities from information about other matters: The data controllers must provide separate information to users for separate purposes of processing.

• Informed:
  “Informed” consent implies that data controllers must provide all relevant information to data subjects about the processing of their data in clear, plain, and understandable language. The information to be provided must include at least, the following content, to ensure the transparency requirement of the GDPR.
  • The controller’s identity;
  • The purpose of each of the processing operations for which consent is sought;
  • What (type of) data will be collected and used;
  • The existence of the right to withdraw consent;
  • Information about the use of the data for automated decision-making in accordance with Article 22(2)(c) of the GDPR where relevant;
  • On the possible risks of data transfer due to the absence of an adequacy decision and of appropriate safeguards as described in Article 46 of the GDPR.

Unambiguous indication of data subject’s wishes:

An “unambiguous indication of the data subject’s wishes” implies a clear affirmative action of the data subject. It may refer to any written or recorded (oral) statement, including by electronic means, by which the data subject deliberately consents to process personal data. Such an action by the data subject must be distinguishable from other actions to avoid any form of ambiguity.

The Guidelines emphasize that the use of pre-ticked boxes, scrolling, swiping, silence, inactivity on the part of the data subject, or any other similar action will not under any circumstances constitute an active or unambiguous indication of data subjects’ wishes, and thereby, won’t constitute valid consent.

Takeaways:

The EDPB has offered two substantive clarities in connection with consent requirements pertaining to cookies:

1. Firstly, without any doubt the Guidelines have put an end to cookie walls, i.e. access to a service cannot be made conditional on users’ consent to the processing of cookies;
2. Secondly, scrolling, swiping or any other similar action has been established insufficient to constitute consent for the processing of cookies.

In light of the above, website publishers and other data controllers must review their consent policies and bring those in line with the EDPB’s latest guidelines. In addition to offering clarity on the interpretation of applicable European regulations such as the GDPR and e-Privacy Directive, the EDPB’s approach has demonstrated compliance with the emerging consensus that users should be given choice and control over their personal data.

Read: Why you need to adopt SECURITI.ai’s Consent Management Platform.