The European Data Protection Board (EDPB) has issued new recommendations. These recommendations highlight what you really need to do in order to ensure that you are compliant. Although there are no changes to the original guidelines in the ePrivacy Directive and the General Data Protection Regulation (GDPR), these clarifications add to our perspective and knowledge on the privacy needs. The principles are still the same but with some minor changes.
According to these clarifications, the EDPB has announced minimal changes:
- Consent obtained from a data subject via a cookie wall is not valid
- Passive web activity does not count as consent
For years some companies have gotten away with bad practices and without implementing better compliance strategies. Some companies have been involved in bad practices ignoring the law such as: the use of cookie walls, dark patterns and circles to make navigation for the user difficult. Now the EDPB has clarified that this is no longer acceptable.
If a user has to engage with a so-called “cookie wall” and during this time the user clicks or taps on agreeing to the cookies, then the consent is not freely given, and neither is it valid. Furthermore, if a visitor is scrolling on your website or they are only visiting with no intention of letting you use their private data once they have left your website, then their consent becomes problematic.
Unless the user voices their consent in a clear and affirmative manner with all the right access to your cookie and privacy policies, their consent may not be considered as legal and satisfying.
The amendments elaborate on the ePrivacy Directive and the GDPR guidelines. They mainly focus on the need to obtain clear, explicit and intentional consent rather than a subliminally forceful one.
Many companies are not aware of their cookie consent management standards. This poses a risk and makes them vulnerable to legal action in the coming years. The litigation may come with an added expense of public defamation, loss of reputation and clients. Shifting to better privacy management tools is the only way out. Negligence has led even some of the big players such as Google to pay out heavy penalties.
The new EDPB guidelines use this explanation:
“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.”
Furthermore, a user that is scrolling on your website is not consenting thus, their activity cannot be assumed to be used as consent. The consent management should be such that there remains no ambiguity attached to the process as well as the results.
Updated EDPB Guideline:
Based on recital 32 [of the GDPR], any passive actions already do not satisfy the requirement of a clear and affirmative action as a signal of consent. Lastly, it is also expanded upon now that the users must be able to opt-out of the consent just as easily as they were able to provide it.
The EDPB’s updated Example 16 also further elaborates on this idea. It also shows the link to the requirement under Article 7(3) of the GDPR) for cases where the consent is granted through scrolling, swiping or similar behaviours.
The privacy world can be complicated, but it doesn’t have to be. You can rely on our privacy management expertise to help you make it all easy and achievable.