4th May saw the European Data Protection Board publish updated guidelines on consent law; consent being one of six lawful bases that data controllers use to process personal data. The EDPB reconfirmed the set of standards that need to be adhered to in order to use consent as a basis for the right to process personally identifiable information (PII).
‘Cookie walls’ are not legal. This was the message reinforced by them on Monday in the update to their guidelines, in which they reiterated that consent should always be freely obtained. Clearly, permission is not at all free if a user has to accede to something in order to access a website. A cookie wall simply does not offer this free choice if users are being asked to allow tracking cookies or a tracking pixel to be placed on their browser in order to access a company’s website.
The revised text states: “A website provider puts into place a script that will block content from being visitable except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies’ button. Since the data subject is not presented with a genuine choice, its consent is not freely given. "
The cookie wall issue has been a matter of contention and confusion for some time now. The UK data protection authority, the ICO, published a post in 2019 in which it confirmed that agreeing to cookies in order to use a website is not considered valid consent but concluded that the issue was still under consideration. France’s equivalent governing body, the CNIL, last year insisted that users should be allowed to access a website whether they allow or deny cookie consent and the Dutch DPA have stated firmly that they consider the practice of cookie walls (no permission means no access) to be unlawful.
The EDPB, in the same updated release, paid attention to another matter of continuous concern: scrolling or swiping through a website. On this, the revised guidelines state:
“…actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action…”
Obviously, the message could not really be clearer, however, as the two-year anniversary of the introduction of the pan-European data protection law looms, critics will continue to assess whether enforcement is really being put into action and actively being pursued by regulators, particularly on this very thorny issue.