Skip to Main Content

EU Data Protection: Updated EDPB Guidance on Consent Clarifies the Mechanism for Cookie Consent

Date: 11 May 2020
Data Protection, Privacy and Security Alert

Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.

In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018, [1] taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).

GDPR and ePrivacy: A Layered Regulation of Privacy in Europe

While GDPR has taken the world by storm, it was never meant to be the only tool to regulate data protection in Europe by 25 May 2018. That day was also the initial deadline to revise the framework of privacy in the online communication sector. Currently, this subset of data protection is governed by Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, dating back to 2002 (ePrivacy Directive). As with general data protection in a pre-GDPR era, the ePrivacy Directive has been implemented and interpreted differently by Member States. Its successor, the ePrivacy Regulation, would harmonize this sector...provided it gets adopted.

In that regard, the EDPB published a first Opinion 05/2019 on 12 March 2019 on the interplay between the ePrivacy Directive and GDPR, which highlighted the task and powers of the Member States’ Supervisory Authorities. Through such a call to action, some of these Supervisory Authorities seized the opportunity to provide their interpretation of such interplay (see the UK Information Commissioner’s Office’s (ICO) Guidance on the use of cookies and similar technologies dated 3 July 2019, as well as French Data Protection Authority’s draft Recommendation on the practical procedures for collecting the consent concerning operations of storing or gaining access to information in the terminal equipment of a user, dated 14 January 2020, implementing its own deliberation no.2019-093, dated 4 July 2019).

In both instances, the French and UK Supervisory Authorities reversed the position that, when required, consent to the use of cookies could be obtained through the use of so-called “soft opt-in,” or “cookie wall,” where continued browsing for information could be interpreted as valid consent.

Overturning the decades-long consensus shook industry players who are currently challenging the Supervisory Authorities positions.

The EDPB therefore revised its previous guidelines on two aspects:

  • access to whole or part of an online service should not be denied if the user has not consented to the placement of cookies, as the lack of options would prevent such consent from being freely given; and
  • where consent is required for the use of cookies, the “soft opt-in” tolerance may no longer be relied on as valid consent, as the lack of formal process would neither allow the determination of the unambiguous action of the user nor offer the possibility to withdraw or differ the consent.

Amidst this fragmenting playing field, the revised guidelines from the EDPB bring some welcome clarification while waiting for the ePrivacy Regulation.

Action Items

All publishers whose websites and/or apps are accessible to a European audience should:

  • Have a clear overview of all first- and third-party cookies used on their website;
  • Assess which of these cookies are (i) strictly essential for the provision of the service, or (ii) nonessential. All analytics or geolocation should, by nature, be considered as nonessential;
  • Ensure that no cookie is dropped on the user’s terminal prior to a first layer of information;
    • This first layer of information could be a banner containing key information about (i) the identity of the publisher, (ii) the roles of the cookies, and (iii) the rights of the users;
    • A second layer of information should provide more ample information, notably relating to the cookies’ lifespans. In that regard, having a dedicated cookie policy, separate from a privacy policy, is advised;
  • When consent is required, include;
    • A graphic interface using neutral graphic designs;
    • Options not limited to (i) consenting or (ii) seeking more information but also (iii) refusal to consent and (iv) postponement of the decision;
    • Consent-gathering mechanism for each purpose; and
    • The possibility for users to withdraw their consent, which may require the deployment of a cookie-management interface;
  • Not deny access to the website merely due to the user’s refusal to consent (either by not addressing the consent request or by refusal); and
  • Document both the consent-gathering process and the actual consent-gathering action as part of GDPR’s accountability framework.

K&L Gates global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your online communication.

[1] Available here, which itself built upon the WP29 pre-GDPR interpretation of consent under Opinion 15/2011, dated 13 July 2011.

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel