European Data Protection Board publishes updated guidelines on consent

The European Data Protection Board (EDPB) has published an updated version of the guidelines on consent under the GDPR (the Guidelines) which were previously issued by its predecessor the Article 29 Working Party (and then adopted by the EDPB).

The Guidelines remain largely unchanged from the previous version save for two main updates in relation to valid consent in the context of cookies:

• Scrolling or swiping through a webpage “or similar user activity”
  will not satisfy the requirement of a clear and affirmative act. On
  that basis, it will not be possible to determine whether the consent
  was unambiguous (and therefore the consent will not be valid).

• The Guidelines further confirm that “access to services and
  functionalities must not be made conditional on the consent of a user
  to the storing of information, or gaining of access to information
  already stored, in the terminal equipment of a user” (i.e. cookie
  walls where individuals cannot access content unless they consent to
  cookies) as this does not provide individuals with a genuine choice.
  Any consent based on cookie walls is therefore not freely given.

These updates broadly align with the guidance on the use of cookies and similar technologies that the ICO published in July last year. That said, the EDPB’s stance of cookie walls appears to be fairly black and white and does not consider ad-supported content whereas the ICO’s guidance acknowledged that there may be some grey areas. Whilst the ICO also highlighted that a restriction on user access through cookie walls is generally not permissible, it did state that it may be possible to restrict certain content if users don’t provide consent. In a blog post the ICO further acknowledged that there are “some differing opinions as well as practical considerations” in relation to this but did not offer any additional guidance, instead stating that it will be seeking further submissions and opinions on this point. This is an important consideration for ad-tech providers or other providers relying on advertising to provide free content (e.g. app developers). It will also be interesting whether the upcoming ePrivacy Regulation will adopt the same strict stance in relation to cookie walls or whether it will leave some room for exceptions for certain content.

Next Steps:

The ICO and other regulators have indicated that cookie compliance will be an increasing regulatory priority, and this is more likely to be the case now that some regulators have seen their guidance be reiterated at a European level. In light of this, businesses should consider reviewing and if necessary updating their cookie consent mechanisms, particularly if their website is intended to cover multiple European jurisdictions.