On May 4, 2020, the European Data Protection Board adopted updated guidelines on what does and does not constitute consent under the General Data Protection Regulation (GDPR) in certain situations. Consent is one of the lawful bases to process personal information under GDPR. To be valid, consent must be freely given, specific, informed, and unambiguous. Consent is freely given only where a data subject has a genuine choice.
First, the Board made is clear that consent cannot be freely given where the choice for the data subject is between using the services of one controller and using the services of a different controller. Therefore, if a controller gives data subjects the choice of “consent or don’t use my services,” it cannot point to choice in the marketplace generally as a means to prove that data subjects using its service have provided valid consent. Such an argument, according to the Board, would require that controllers monitor developments in the market to ensure such choice still existed among its competitors. It would also constantly raise the question of whether the competitors’ services were genuinely equivalent to controller’s services.
Second, the Board addressed consent with respect to cookie walls. These cookie walls block access to content, other than the cookie banner, until the user clicks an “accept cookies” button. That is to say, the data subject’s “choice” is to either accept the site’s cookie policy or not access the site. The Board stated that the user in this situation is not given a genuine choice, and consent, therefore, is not considered freely given.
Third, the Board provided an example of certain acts that would not demonstrate consent. The Board stated that “scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirements of a clear and affirmative action” to show consent. Basing consent on these actions, moreover, does not give the data subject any similar means to revoke consent, as is required under GDPR.
So what does this update mean for companies subject to GDPR?
First, companies cannot rely on a data subject’s ability to use a competitor’s services as a basis for consent. Rather, companies must offer choice to users within their own services. If a company asks a user for consent to use personal data beyond that necessary to provide the core service, it must allow users to decline that additional use and still be able to access the core service.
Second, companies should provide tailored cookie options for visitors to their websites. Users should have the option to reject cookies and still be able to access the website. If there are cookies that are strictly necessary for website functionality, then, at the very least, users should be able to accept those and reject all others that are not necessary. Under the updated guidelines, giving users an all or nothing choice does not really give them a choice at all.
Third, companies must insure that their systems are designed so that a user must take a clear overt action to demonstrate consent. Privacy policy provisions such as, “By using this website you consent to X, Y, and Z” are not a valid means to obtain consent under GDPR. Companies must rely on conspicuous user actions, rather than on passive contractual language to demonstrate consent.
