On May 4, 2020, the European Data Protection Board (EDPB) published its updated Guidelines on consent for the use of websites, bringing legislation one step closer to its goal of achieving a uniform interpretation of data protection rules across the EU. In this article, we have compiled a summary of the most important points.
The EDPB’s current guidelines – what you need to know
The EDPB reconfirms many of the existing rules, including the requirements for GDPR-compliant user consent:
Among other requirements, legally abiding consent must be given in a voluntary, explicit and granular manner. In the context of the GDPR, voluntary refers to an action, for example, in the form of an opt-in.
Scrolling a website does not count towards a form of valid consent
The user must actively and explicitly consent to the processing of their data. Scrolling without additional action or browsing further on the website is therefore not an explicitly confirming action.
Voluntary consent also means that the user must be granted genuine freedom of choice. If the user refuses to disclose their data, this must not result in any disadvantages to them. As a rule, a disadvantage exists not only if the user is prevented from visiting a website, but also if the provision of a product or service is linked to the granting of the user’s consent without offering an appropriate alternative for the consent.
If there are different purposes for data processing, the EDPB believes that the solution for valid consent lies in granularity, i.e., separating and obtaining consent on a granular basis for each purpose.
Cookie walls only permitted in exceptional cases
The EDPB regards the forced interaction with a banner, mostly in the form of cookie walls, as being extremely questionable. However, the EDPB permits such walls if the user is given the option to choose to decline and can use the website either way.
As previously ruled by the European Court of Justice (ECJ) in the Planet49 case, the EDPB further confirms that “active action” in the context of consent can only take place through an opt-in. A pre-ticked box, where the user must instead take action to opt-out, namely to prevent processing, does not constitute legally effective consent.
For the topic of incentives, the EDPB outlines appropriate procedures for when and if they can be offered to obtain consent. However, the user should not be influenced to the extent that a well-considered decision seems practically impossible.
Tighter restrictions for the right to information
More stringent requirements arise for website operators with regards to the duty to provide information. For example, in the case of a multi-layer cookie banner, a website provider must inform the user about the identity of the controller and the purposes of the processing in the first information level or layer of the cookie banner. If the information obligation is not complied with, the controller will not be able to prove that consent has been obtained in compliance with data protection requirements.
The current EDPB guidelines clearly reveal that the requirements for obtaining consent have become more stringent. What is particularly noteworthy are the EDPB statements on practical implementation. What can be taken from here is that the EDPB wants to pass on the responsibility of the legislator to find a legally practicable solution to the responsible parties involved. The conclusion is clear: not only do website operators have to comply with various regulations in order to be able to prove legally binding user consent, they must also find user-friendly solutions that can be implemented in practice.
One thing is for certain: if a website operator actually complies with all the GDPR regulations on consent, the user experience will be compromised. This is because the website visitor would be faced with overcrowded cookie banners on every website, and even technically savvy users would probably reach their tolerance limits.
The EDPB therefore sees the task of collecting GDPR-compliant consent – while having “consent fatigue” in mind – as the responsibility of the website operator, as stated in the following excerpt: “The GDPR places upon controllers the obligation to develop ways to tackle this issue.”
The European Data Protection Board (EDPB), as an independent European body, promotes cooperation between EU data protection authorities and the consistent application of data protection rules throughout the European Union.
With the enactment of the General Data Protection Regulation, Article 29 of the data privacy group was replaced. The current guidelines do not initially result in any mandatory rules for data controllers within the scope of the GDPR. However, it is foreseeable that if the European data protection authorities use the guidelines as a benchmark for assessing the legal compliance of data controllers, they will – at least indirectly – have a binding effect on data controllers in the future.
Autoren: Jana Krahforst & Carolin Weißofner, Legal Team Usercentrics
DISCLAIMER: The implementation of a data protection-compliant implementation of a Consent Management Platform is ultimately at the discretion of the respective data protection officer or legal department. These explanations therefore do not constitute legal advice. They merely serve to support you with information about the current legal situation when implementing a Consent Management Platform solution. If you have any legal questions, you should consult a qualified attorney.