Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

EDPB’s Updated Guidelines on Consent

Published September 3, 2020 / Updated January 8, 2024

As per Article 4(11) of the GDPR, consent of a data subject should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The same standard of consent also applies to consent under the e-Privacy Directive. The e-Privacy Directive requires organizations to provide “clear and comprehensive information” about the purposes of the processing to users before processing cookies and an opportunity to refuse any such processing. Similarly, the GDPR requires data controllers to provide information to the users consisting of at least the controller’s identity, the kind of data that will be processed, how it will be processed, and the purposes of the processing.

Consent Requirements established by the CJEU in Planet49 case:

On October 1, 2019, the CJEU issued an important decision about consent requirements in relation to the processing of cookies. The case pertained to a German website that organized a promotional lottery online. In order to participate in the promotional lottery, users were required to provide their names and addresses and beneath the input fields for the addresses, there were two explanatory text boxes accompanied with checkboxes. Amongst them, one checkbox was pre-selected for the users and the participation in the promotional lottery was conditional on at least the selection of the first checkbox. While going through the relevant requirements under GDPR, e-Privacy Directive, and EU Regulation 2016/679, the CJEU made the following important conclusions, among others:

Pre-selected checkboxes are not valid consents as such consents are not specific or free. Pre-selected checkboxes do not indicate any active consent of data subjects and such form of passive behavior by the data subjects is not deemed to constitute valid consent.
The requirement to provide “clear and comprehensive information” to users before processing of cookies includes providing information pertaining to the duration of the operation of cookies, whether or not third-parties may have access to cookies, and the purposes of the processing of cookies.

EDPB’s updated Guidelines on Consent:

The EDPB’s updated Guidelines reaffirms that consent is one of the six lawful bases to process personal data as listed under Article 6 of the GDPR. These Guidelines complement the CJEU’s decision in the Planet49 case that clarified that cookie consent must be specific and active. In the Guidelines, the EDPB interprets the elements of consent as defined by the GDPR as follows:

Freely given:
“Freely given” consent implies real choice and control for data subjects. The EDBP clarifies that access to a service or functionalities cannot be made conditional on a data subject’s consent to the processing of his or her personal information. Through this interpretation, the EDBP has put an end to cookie walls and upheld the idea that access to a service cannot be made conditional on users’ consent to the processing of cookies.

Moreover, refusal or withdrawal of consent should be made as easy and straightforward as giving consent and without any detriment to the data subject, for it to be considered a freely given consent. The EDPB explains that data controllers should allow similar mechanisms for withdrawal of consent as that of giving consent. This means where consent is obtained through a service-specific user interface, the data subject must be able to withdraw consent via the same electronic interface. For example, if consent is obtained through online ticketing, the data subject must be able to withdraw his or her consent via the same online ticketing process and not via telephone call or some other mechanism.

Specific:
“Specific” consent implies “granularity”, i.e. specific and separate consents should be obtained for separate purposes of the processing. This means data controllers are required to provide specific information to data subjects with each separate consent request about the data that are processed for each purpose. As per the Guidelines, the controller must apply the following to ensure that consent is specific.
1. Purpose specification as a safeguard against function creep: This requirement serves as a protection against blurring of different purposes of processing of data;
2. Granularity in consent requests: The data controllers must acquire users’ consent for each new purpose of the processing of data; and
3. Clear separation of information related to obtaining consent for data processing activities from information about other matters: The data controllers must provide separate information to users for separate purposes of processing.

Informed:
“Informed” consent implies that data controllers must provide all relevant information to data subjects about the processing of their data in clear, plain, and understandable language. The information to be provided must include at least, the following content, to ensure the transparency requirement of the GDPR.
- The controller’s identity;
- The purpose of each of the processing operations for which consent is sought;
- What (type of) data will be collected and used;
- The existence of the right to withdraw consent;
- Information about the use of the data for automated decision-making in accordance with Article 22(2)(c) of the GDPR where relevant;
- On the possible risks of data transfer due to the absence of an adequacy decision and of appropriate safeguards as described in Article 46 of the GDPR.

Unambiguous indication of data subject’s wishes:

An “unambiguous indication of the data subject’s wishes” implies a clear affirmative action of the data subject. It may refer to any written or recorded (oral) statement, including by electronic means, by which the data subject deliberately consents to process personal data. Such an action by the data subject must be distinguishable from other actions to avoid any form of ambiguity.

The Guidelines emphasize that the use of pre-ticked boxes, scrolling, swiping, silence, inactivity on the part of the data subject, or any other similar action will not under any circumstances constitute an active or unambiguous indication of data subjects’ wishes, and thereby, won’t constitute valid consent.

Takeaways:

The EDPB has offered two substantive clarities in connection with consent requirements pertaining to cookies:

Firstly, without any doubt the Guidelines have put an end to cookie walls, i.e. access to a service cannot be made conditional on users’ consent to the processing of cookies;
Secondly, scrolling, swiping or any other similar action has been established insufficient to constitute consent for the processing of cookies.

In light of the above, website publishers and other data controllers must review their consent policies and bring those in line with the EDPB’s latest guidelines. In addition to offering clarity on the interpretation of applicable European regulations such as the GDPR and e-Privacy Directive, the EDPB’s approach has demonstrated compliance with the emerging consensus that users should be given choice and control over their personal data.

Read: Why you need to adopt securiti.ai’s Consent Management Platform.

Under the General Data Protection Regulation (GDPR), consent for processing personal data must be freely given, specific, informed, and unambiguous. The guidelines include the right to withdraw consent, clear and plain language in consent requests, and a mechanism for individuals to withdraw consent at any time as easily as it was given.

Article 25 of the GDPR focuses on data protection by design and by default. It emphasizes the need for organizations to implement data protection measures from the outset when developing products or services. The European Data Protection Board (EDPB) provides guidelines on how to apply this principle effectively.

The Article 29 Working Party (now replaced by the EDPB) was an advisory body composed of representatives from EU member states' data protection authorities. They provided guidance on various data protection issues, which was particularly relevant before the full application of the GDPR.

The EDPB has issued guidelines on the use of cookie walls. Cookie walls are interfaces that require website visitors to consent to the use of cookies to access a website. The guidelines emphasize that such walls are not compatible with the GDPR's requirement for freely given consent. Users should have the option to access a website without being forced to accept cookies.

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.

Take a Tour

First Name

Last Name

Role

Platform Location

Language Preference

Yes, I consent to receive email updates about Securiti.ai products, services, and offers. I understand that I can unsubscribe at any time. By submitting your information, you agree to the terms outlined in our privacy policy.

Note: Your credit card will be charged at the end of the 30 day free trial period and your subscription will be automatically renewed monthly/yearly. You can cancel your subscription at any time

Consent Requirements established by the CJEU in Planet49 case:

EDPB’s updated Guidelines on Consent:

Unambiguous indication of data subject’s wishes:

Takeaways:

Frequently Asked Questions

Privacy Center
Fully Functional In Minutes

Newsletter

Company

Resources

Terms

Get in touch

EDPB’s Updated Guidelines on Consent

Consent Requirements under the GDPR and the e-Privacy Directive:

Consent Requirements established by the CJEU in Planet49 case:

EDPB’s updated Guidelines on Consent:

Unambiguous indication of data subject’s wishes:

Takeaways:

Frequently Asked Questions

Privacy Center Fully Functional In Minutes

Get Started

Email already in use

Unexpected error occurred

Join Our Newsletter

Share

More Stories that May Interest You

Compliance Checklist for China’s PIPL

Employer Obligations on Employee Data Under Indian Law

The HR Guide to Employee Data Protection

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

Privacy Center
Fully Functional In Minutes

What's
New