'Most Innovative Startup 2020' by RSA - Watch the pitch videoView More
Published on September 3, 2020 AUTHOR PRIVACY RESEARCH TEAM
On May 4, 2020, the European Data Protection Board released updated guidelines on Consent (Guidelines). The Guidelines adhere to the requirements of consent provided under the General Data Protection Regulation (GDPR) and the e-Privacy Directive and have been updated to be consistent with the landmark decision of the Court of Justice of the European Union (CJEU) in Planet49 case that clarified the scope of consent requirements in relation to the processing of cookies.
As per Article 4(11) of the GDPR, consent of a data subject should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The same standard of consent also applies to consent under the e-Privacy Directive. The e-Privacy Directive requires organizations to provide “clear and comprehensive information” about the purposes of the processing to users before processing cookies and an opportunity to refuse any such processing. Similarly, the GDPR requires data controllers to provide information to the users consisting of at least the controller’s identity, the kind of data that will be processed, how it will be processed, and the purposes of the processing.
On October 1, 2019, the CJEU issued an important decision about consent requirements in relation to the processing of cookies. The case pertained to a German website that organized a promotional lottery online. In order to participate in the promotional lottery, users were required to provide their names and addresses and beneath the input fields for the addresses, there were two explanatory text boxes accompanied with checkboxes. Amongst them, one checkbox was pre-selected for the users and the participation in the promotional lottery was conditional on at least the selection of the first checkbox. While going through the relevant requirements under GDPR, e-Privacy Directive, and EU Regulation 2016/679, the CJEU made the following important conclusions, among others:
The EDPB’s updated Guidelines reaffirms that consent is one of the six lawful bases to process personal data as listed under Article 6 of the GDPR. These Guidelines complement the CJEU’s decision in the Planet49 case that clarified that cookie consent must be specific and active. In the Guidelines, the EDPB interprets the elements of consent as defined by the GDPR as follows:
“Freely given” consent implies real choice and control for data subjects. The EDBP clarifies that access to a service or functionalities cannot be made conditional on a data subject’s consent to the processing of his or her personal information. Through this interpretation, the EDBP has put an end to cookie walls and upheld the idea that access to a service cannot be made conditional on users’ consent to the processing of cookies.
Moreover, refusal or withdrawal of consent should be made as easy and straightforward as giving consent and without any detriment to the data subject, for it to be considered a freely given consent. The EDPB explains that data controllers should allow similar mechanisms for withdrawal of consent as that of giving consent. This means where consent is obtained through a service-specific user interface, the data subject must be able to withdraw consent via the same electronic interface. For example, if consent is obtained through online ticketing, the data subject must be able to withdraw his or her consent via the same online ticketing process and not via telephone call or some other mechanism.
“Specific” consent implies “granularity”, i.e. specific and separate consents should be obtained for separate purposes of the processing. This means data controllers are required to provide specific information to data subjects with each separate consent request about the data that are processed for each purpose. As per the Guidelines, the controller must apply the following to ensure that consent is specific.
(1) Purpose specification as a safeguard against function creep:
This requirement serves as a protection against blurring of different purposes of processing of data;
(2) Granularity in consent requests:
The data controllers must acquire users’ consent for each new purpose of the processing of data; and
(3) Clear separation of information related to obtaining consent for data processing activities from information about other matters:
The data controllers must provide separate information to users for separate purposes of processing.
“Informed” consent implies that data controllers must provide all relevant information to data subjects about the processing of their data in clear, plain, and understandable language. The information to be provided must include at least, the following content, to ensure the transparency requirement of the GDPR.
An “unambiguous indication of the data subject’s wishes” implies a clear affirmative action of the data subject. It may refer to any written or recorded (oral) statement, including by electronic means, by which the data subject deliberately consents to process personal data. Such an action by the data subject must be distinguishable from other actions to avoid any form of ambiguity.
The Guidelines emphasize that the use of pre-ticked boxes, scrolling, swiping, silence, inactivity on the part of the data subject, or any other similar action will not under any circumstances constitute an active or unambiguous indication of data subjects’ wishes, and thereby, won’t constitute valid consent.
The EDPB has offered two substantive clarities in connection with consent requirements pertaining to cookies:
In light of the above, website publishers and other data controllers must review their consent policies and bring those in line with the EDPB’s latest guidelines. In addition to offering clarity on the interpretation of applicable European regulations such as the GDPR and e-Privacy Directive, the EDPB’s approach has demonstrated compliance with the emerging consensus that users should be given choice and control over their personal data.