Updated Guidelines on Consent Under GDPR
On 4 May 2020, the European Data Protection Board (EDPB) updated guidelines around online consent to be compliant with the GDPR. We’ve summarized the update below and are also hosting an upcoming webinar to cover the updated guidelines.
Join our webinar on 14 May 2020 to learn more! Register now.
Background of the GDPR
The GDPR outlines six legal bases for processing personal data: consent, contract, compliance with legal obligation, vital interest of the individual, public interest and legitimate interest. The latest updated guidelines from the EDPB address consent.
This first legal basis that focuses on consent in the GDPR states: ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’. Consent must be unbundled, informed, active, without imbalance of power, granular, and easy to withdraw. (Check out our GDPR blog category for more).
The Updated Guidelines
The latest update outlined a need for clarification on two points:
- the validity of consent as provided by data subjects when interacting with ‘cookie walls;’ and
- the action of scrolling or swiping through a webpage, or similar user activity, as a clear and affirmative action of consent.
A cookie wall is a type of pop up on a website that doesn’t allow access unless consent is given. To address the clarification needed around cookie walls, two main recommendations are provided:
- service providers cannot prevent data subjects from accessing a service on the basis that they do not consent; and
- ‘cookie walls’ are not permitted: access to services and functionalities must not be made conditional on the consent of users to the placement of cookies or similar technologies on their terminal equipment.
In particular, the Guidelines provide that, when data controllers offer a choice between their service, that includes consenting to the use of personal data for additional purposes, and an equivalent service offered by a different controller, consent cannot be considered as freely given. The Guidelines also explain that the validity of consent may be determined by comparing services provided by other market players. We’ll cover the impact of this recommendation and a practical example in our webinar in our webinar.
The Guidelines also clarify that scrolling or swiping through a webpage – or similar actions – does not constitute a clear or affirmative action. Thus, unambiguous consent has not been obtained and that there is not a way for the user the withdraw consent in a way that as easy as granting it.
Join our webinar to learn more about the updated guidelines and the impact to marketers. You can also learn more through OneTrust DataGuidance ‘EU: EDPB adopts updated guidelines on consent under the GDPR’.