Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

EDPB’s Updated Guidelines on Consent

Download: Consent Report Q2 2024
Published September 3, 2020 / Updated January 8, 2024
Author

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

On May 4, 2020, the European Data Protection Board released updated guidelines on Consent (Guidelines). The Guidelines adhere to the requirements of consent provided under the General Data Protection Regulation (GDPR) and the e-Privacy Directive and have been updated to be consistent with the landmark decision of the Court of Justice of the European Union (CJEU) in Planet49 case that clarified the scope of consent requirements in relation to the processing of cookies.

As per Article 4(11) of the GDPR, consent of a data subject should be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The same standard of consent also applies to consent under the e-Privacy Directive. The e-Privacy Directive requires organizations to provide “clear and comprehensive information” about the purposes of the processing to users before processing cookies and an opportunity to refuse any such processing. Similarly, the GDPR requires data controllers to provide information to the users consisting of at least the controller’s identity, the kind of data that will be processed, how it will be processed, and the purposes of the processing.

Consent Requirements established by the CJEU in Planet49 case:

On October 1, 2019, the CJEU issued an important decision about consent requirements in relation to the processing of cookies. The case pertained to a German website that organized a promotional lottery online. In order to participate in the promotional lottery, users were required to provide their names and addresses and beneath the input fields for the addresses, there were two explanatory text boxes accompanied with checkboxes. Amongst them, one checkbox was pre-selected for the users and the participation in the promotional lottery was conditional on at least the selection of the first checkbox. While going through the relevant requirements under GDPR, e-Privacy Directive, and EU Regulation 2016/679, the CJEU made the following important conclusions, among others:

  • Pre-selected checkboxes are not valid consents as such consents are not specific or free. Pre-selected checkboxes do not indicate any active consent of data subjects and such form of passive behavior by the data subjects is not deemed to constitute valid consent.
  • The requirement to provide “clear and comprehensive information” to users before processing of cookies includes providing information pertaining to the duration of the operation of cookies, whether or not third-parties may have access to cookies, and the purposes of the processing of cookies.

EDPB’s updated Guidelines on Consent:

The EDPB’s updated Guidelines reaffirms that consent is one of the six lawful bases to process personal data as listed under Article 6 of the GDPR. These Guidelines complement the CJEU’s decision in the Planet49 case that clarified that cookie consent must be specific and active. In the Guidelines, the EDPB interprets the elements of consent as defined by the GDPR as follows:

  • Freely given:
    “Freely given” consent implies real choice and control for data subjects. The EDBP clarifies that access to a service or functionalities cannot be made conditional on a data subject’s consent to the processing of his or her personal information. Through this interpretation, the EDBP has put an end to cookie walls and upheld the idea that access to a service cannot be made conditional on users’ consent to the processing of cookies.Moreover, refusal or withdrawal of consent should be made as easy and straightforward as giving consent and without any detriment to the data subject, for it to be considered a freely given consent. The EDPB explains that data controllers should allow similar mechanisms for withdrawal of consent as that of giving consent. This means where consent is obtained through a service-specific user interface, the data subject must be able to withdraw consent via the same electronic interface. For example, if consent is obtained through online ticketing, the data subject must be able to withdraw his or her consent via the same online ticketing process and not via telephone call or some other mechanism.
  • Specific:
    “Specific” consent implies “granularity”, i.e. specific and separate consents should be obtained for separate purposes of the processing. This means data controllers are required to provide specific information to data subjects with each separate consent request about the data that are processed for each purpose. As per the Guidelines, the controller must apply the following to ensure that consent is specific.

    1. Purpose specification as a safeguard against function creep: This requirement serves as a protection against blurring of different purposes of processing of data;
    2. Granularity in consent requests: The data controllers must acquire users’ consent for each new purpose of the processing of data; and
    3. Clear separation of information related to obtaining consent for data processing activities from information about other matters: The data controllers must provide separate information to users for separate purposes of processing.
  • Informed:
    “Informed” consent implies that data controllers must provide all relevant information to data subjects about the processing of their data in clear, plain, and understandable language. The information to be provided must include at least, the following content, to ensure the transparency requirement of the GDPR.

    • The controller’s identity;
    • The purpose of each of the processing operations for which consent is sought;
    • What (type of) data will be collected and used;
    • The existence of the right to withdraw consent;
    • Information about the use of the data for automated decision-making in accordance with Article 22(2)(c) of the GDPR where relevant;
    • On the possible risks of data transfer due to the absence of an adequacy decision and of appropriate safeguards as described in Article 46 of the GDPR.

Unambiguous indication of data subject’s wishes:

An “unambiguous indication of the data subject’s wishes” implies a clear affirmative action of the data subject. It may refer to any written or recorded (oral) statement, including by electronic means, by which the data subject deliberately consents to process personal data. Such an action by the data subject must be distinguishable from other actions to avoid any form of ambiguity.

The Guidelines emphasize that the use of pre-ticked boxes, scrolling, swiping, silence, inactivity on the part of the data subject, or any other similar action will not under any circumstances constitute an active or unambiguous indication of data subjects’ wishes, and thereby, won’t constitute valid consent.

Takeaways:

The EDPB has offered two substantive clarities in connection with consent requirements pertaining to cookies:

  1. Firstly, without any doubt the Guidelines have put an end to cookie walls, i.e. access to a service cannot be made conditional on users’ consent to the processing of cookies;
  2. Secondly, scrolling, swiping or any other similar action has been established insufficient to constitute consent for the processing of cookies.

In light of the above, website publishers and other data controllers must review their consent policies and bring those in line with the EDPB’s latest guidelines. In addition to offering clarity on the interpretation of applicable European regulations such as the GDPR and e-Privacy Directive, the EDPB’s approach has demonstrated compliance with the emerging consensus that users should be given choice and control over their personal data.

Read: Why you need to adopt securiti.ai’s Consent Management Platform.

Frequently Asked Questions

Under the General Data Protection Regulation (GDPR), consent for processing personal data must be freely given, specific, informed, and unambiguous. The guidelines include the right to withdraw consent, clear and plain language in consent requests, and a mechanism for individuals to withdraw consent at any time as easily as it was given.

Article 25 of the GDPR focuses on data protection by design and by default. It emphasizes the need for organizations to implement data protection measures from the outset when developing products or services. The European Data Protection Board (EDPB) provides guidelines on how to apply this principle effectively.

The Article 29 Working Party (now replaced by the EDPB) was an advisory body composed of representatives from EU member states' data protection authorities. They provided guidance on various data protection issues, which was particularly relevant before the full application of the GDPR.

The EDPB has issued guidelines on the use of cookie walls. Cookie walls are interfaces that require website visitors to consent to the use of cookies to access a website. The guidelines emphasize that such walls are not compatible with the GDPR's requirement for freely given consent. Users should have the option to access a website without being forced to accept cookies.

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.

 
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
View More
Unlock Amazon Q’s Full Potential with Secure, Governed Data
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New