The Fall of the Cookie Wall

The Fall of the Cookie Wall

The European Data Protection Board (EDPB) has updated its guidelines for consent. As we wait for the ePrivacy Regulation, the EDPB tightens the grip on what constitutes valid consent when using tracking cookies.


New guidelines on cookies and consent

No more cookie walls! And scrolling isn’t consent, the European Data Protection Board declares in an updated set of guidelines to collect valid consent for cookies.

With the updated requirements, the EDPB sends an unambiguous message to websites: if you use consent as a lawful basis to collect internet users’ personal data, you must obtain valid consent.

“Consent must be freely given,
or it does not constitute valid consent.”

By valid, the Europe’s General Data Protection Regulation (GDPR) specifies certain standards to meet: consent must specific, informed and most importantly freely given.

No consent behind cookie walls

Although there has been a lot for discussion on the legitimacy of the cookie wall, the EDPB has now put it on writing.

The ‘data for access’ model practiced by a number of major European websites, requires the user to “accept” tracking cookies to access the website’s content.

“Demanding consent as the price
for getting onto the website,
is not considered valid consent.”

The EDPB clearly points that cookie walls do not constitute valid consent, since the user is ‘forced’ to accept cookies to access the website.

The user is thereby not presented with a genuine choice and consent is not freely given.

40. Example 6a: A website provider puts into place a script that will block consent from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the consent without clicking on the ”Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.
41. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the ”Accept cookies" button. It is not presented with a genuine choice.

Last year, the Dutch DPA banned all uses of cookie walls, thereby paving the way for a unified European discussion on the topic.

The EDPB clarification should now leave no room for interpretation on whether cookie walls are allowed or not.

Dutch data protection investigation into GDPR cookie compliance and cookie walls | Cookie Information

Scrolling a website does not mean “I consent”

Another matter in the updated guidance from the EDPB is the issue of scrolling and consent.

“Scrolling a website or digital service
cannot in any way be interpreted as
consent to cookies."

In essence, the EDPB explains: “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action

86. Example 16: Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirements of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.

So, websites using cookie walls or setting cookies at the moment a visitor scrolls the webpage, are not complying with the requirements for consent in accordance with the EDPB new guidelines.

There has been an increasing focus on consent and cookies around the European Data Protection Authorities and warnings and fines have been given in Germany, Denmark and Spain among others.

Belgian BDPA in GDPR cookie Fine | Cookie Information

How to collect valid consent to cookies?

Websites dropping tracking cookies without obtaining their users’ valid consent risk regulatory enforcement.

GDPR fines can scale as high as €20; or 4% of global annual turnover.

So, how do you collect valid consent to cookies?

Here’s a short but informative checklist.

CHECKLIST - VALID CONSENT

To collect valid consent, you need a cookie consent solution (banner) which:

  • Informs your visitors of cookies (who owns them; their purpose; lifespan)
  • Provides your visitors with the option to decline cookies (and tracking)
  • Holds back cookies before consent is obtained
  • Does not assume consent with pre-ticked boxes
  • Collects and stores consents for 5 years (in case of inspection by DPA).

If you are in doubt whether your website is collecting valid consent to cookies, you can always get a free cookie audit.

Is my website cookie compliant? Free audit

“Our customers demand the best consent solution, 
and that’s why they hire us!”

book a meeting with jonas

Sources:

HTTPS://EDPB.EUROPA.EU/SITES/EDPB/FILES/FILES/FILE1/EDPB_GUIDELINES_202005_CONSENT_EN.PDF