Published May 27, 2020.
The European Data Protection Board (EDPB) has adopted guidelines for GDPR compliance, clarifying what constitutes valid consent on websites and ruling the use of “cookie walls” illegal.
EDPB is the highest supervisory authority on the GDPR in the EU and their guidelines form the basis of enforcement by national data protection authorities in each EU member state.
In this article we explain the most important things for you to know about the EDPB guidelines, so you can make sure that your website is a safe and compliant space for users to visit.
On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines for GDPR compliance that clarify what constitutes valid consent for personal data processing in the EU, and confirm that the use of “cookie walls” as a way of obtaining consent is non-compliant.
These EDPB guidelines cement as a unified application of the GDPR what several national data protection authorities and the CJEU Planet49 ruling have independently ruled. Because EDPB’s guidelines direct how DPAs in each EU member state are to enforce the GDPR, it is very important to take notice of these.
Try Cookiebot free for 30 days... or forever if you have a small website.
For a consent to be valid according to the GDPR, it has to be:
EDPB clarifies in its guidelines that “an unambiguous indication of user consent” must be made with a clear and affirmative action by the user.
User actions such as scrolling or swiping through a website or similar user activity (also known as implied consent) do not meet the requirement for valid consent under the GDPR.
Instead, your website’s cookie banner must be interactive and the website must refrain from activating any cookies that collect personal data, until the user has selected which categories of cookies, they will allow to be in operation (known as prior consent).
The EDPB guidelines also clarify that the use of pre-ticked opt-in boxes is not GDPR compliant, as this does not live up to the “clear and affirmative action” requirement either.
Here, the EDPB guidelines complement the legal precedent made by the Court of Justice of the European Union (CJEU) in the case of Planet 49 in October 2019.
This CJEU decision ruled that pre-ticked boxes on cookie banners are not allowed, since they also don’t live up to the requirement that consent has to be a freely given, affirmative action.
Try Cookiebot for free today… or forever if you have a small website.
EDPB guidelines clarify how the GDPR is to be interpreted and enforced in the EU.
EDPB guidelines also clarify that a “cookie wall” is a non-compliant way of obtaining consent for websites.
Cookie walls work by making access to websites conditional on the user’s consent to the processing of their personal data, and the EDPB guidelines state very clearly that this does not constitute valid consent.
Since a cookie wall operates by forcing a consent from users to store cookies or accessing already stored cookies in exchange for access to services and functionalities, cookie walls as a way of obtaining consent does not live up to the GDPR requirement that a valid consent has to be freely given and on the basis of a genuine choice.
The EDPB guidelines cement what has been the intention of the GDPR all along: to empower the users with real, enforceable rights over their own data and privacy.
In their guidelines on consent, the EDPB makes it very clear that any kind of attempt to avoid giving users real power over their own personal data (such as forcing consent or relying on poorly informed implied consents) will not be tolerated.
In other words, your website is not allowed to activate any cookies that process personal data unless the user has given their clear and affirmative consent to it.
For your website, this means –
If your website uses a consent solution that activates cookies on the basis of continued scrolling, clicking or browsing on your website (i.e. any other activity than direct, explicit interaction with the consent banner), uses pre-ticked checkboxes or cookie walls, you need to change this.
The EDPB guidelines form the basis for all GDPR enforcement on a national level by the respective data protection authorities in each EU member state, so if your website is operating from an EU country or if your website processes personal data on individuals from an EU country, you must be in compliance with the EDPB guidelines on GDPR compliance.
Cookiebot performs a free scan of your website that detects all cookies and trackers in operation on your domain.
You might find that your website has many more cookies than you are aware of, since –
72% of cookies are secretly loaded by third-party trackers, making them almost impossible to detect without proper scanning technology.
18% of cookies on websites are trojan horses, i.e. trackers that load from as deep as within eight other cookies.
50% of all trojan horses will change between visits, so users risk having their personal data harvested by different third parties on your website, when they visit your domain again.
Source: Beyond the Front Page, a 2020 research paper on website cookies.
Cookiebot is the world’s leading consent management platform that makes your website compliant with the all major data protection laws.
Cookiebot’s solution is plug and play with no need for manual implementation or on-site integration with your domain.
Simply implement Cookiebot from the cloud to protect the privacy of your users from third-party data abuse.
Cookiebot performs deep-scans of your entire website to detect all cookies and trackers in operation – even the hidden trojan horses – and auto-blocks everything until your users have given their prior consent, in full compliance with the GDPR.
Cookiebot’s consent solution is in full compliance with the EDPB guidelines on valid consent:
Cookiebot’s interactive banner with granular consent in compliance with EDPB guidelines on GDPR.
Try Cookiebot free for 30 days… or forever if you have a small website.
The EDPB guidelines 05/2020 on valid consent is a detailed 33-page document that was adopted on May 4, 2020.
In the rest of this article, we will take a closer look at each of the important sections of the EDPB guidelines that clarify valid consent under the GDPR:
EDPB was established with the passing of the GDPR into law in 2018 and is comprised of representatives from the national data protection authorities in each EU member state.
The EDPB’s job consists of adopting general guidelines and making decisions that clarify how the GDPR is supposed to be interpreted by websites, companies and organizations for full compliance.
EDPB guidelines and decisions are the cornerstone in the enforcement of the GDPR in EU member states, where each national data protection authority is responsible for the GDPR’s application.
When obtaining consent from users to the activation of cookies that process personal data, your website must make sure that it is freely given – a cornerstone for valid consent in the GDPR.
If the user has no real choice, feels compelled to consent or will suffer negative consequences if they do not consent (such as lowered services or access denied), then the consent will not be valid.
Your website is not allowed to bundle consent, i.e. if consent is presented as a non-negotiable part of terms and conditions, it is presumed not to have been freely given.
Accordingly, consent will not be considered to be valid if the user is unable to refuse or withdraw consent without consequences (such as lowered quality of services or access denial).
As briefly touched upon above, to bundle consents is not compliant, the EDPB guidelines clarify.
To make consent conditional to e.g. acceptance of terms or conditions, or the performance of a service to which the personal data processed by cookies and trackers is not necessary, is considered an invalid form of consent.
The GDPR contains six legal bases for the processing of personal data, of which the first is with the consent of the user and the second is for the performance of a contract.
This is the part of the EDPB guidelines that effectively rules out the use of cookie walls as a compliant form of obtaining consent, since a forced consent is not freely given (read: valid).
Compulsion to agree to non-necessary personal data collection stand in the way of free consent, the EDPB guidelines clarify.
Most websites in the world have a lot of different cookies in operation, each one collecting different data for different purposes by different providers.
The EDPB guidelines clarify that if your website processes personal data for more than one purpose, users must be able to freely choose which purpose they accept – rather than having to consent to a bundle of processing purposes.
This means for your website that you must know all cookies and their different purposes, and offer users the possibility of selecting the activation of some cookies and not others, also known as granular consent.
Granular consent by Cookiebot in full compliance with EDPB guidelines 05/2020.
Valid consent, the EDPB guidelines clarify, must be specific, i.e. clear determination of a specific, explicit and legitimate purpose for the intended processing activity.
To comply with the GDPR requirement for a consent to be specific, your website must ensure –
EDPB guidelines clarify that valid consent must be informed, i.e. users must know and understand what they are consenting to.
Your website must live up to these minimum content requirements for consent to be informed –
Your information to your users must be written in clear and plain language and be easily understandable for the average person (and not only for lawyers).
Cookiebot’s cookie banner with clear and easy-to-understand text compliance with the EDPB guidelines on informed consent.
Users must be able to withdraw their consent just as easily as they gave it. It is actually a condition for the validity of a consent that the user has an equally easy way of withdrawing it afterwards.
Users must be able to withdraw their consent freely and without consequences, such as having their access to a website denied or experience a lowering of services.
All personal data processing that took place after the user consented and before the withdrawal of the consent is lawful.
The burden of proof to demonstrate user consent for personal data processing is on the website owner and/or operator.
This means that you will need to be able to demonstrate that the user has given consent to your website setting cookies and trackers that collect personal data. Documentation of consent must be securely stored.
EDPB recommends as best practice that consents should be refreshed at appropriate intervals.
Lastly, remember that your users have GDPR secured rights that you must always respect in order to be compliant.
They are –
Cookiebot’s consent management platform takes care of all the GDPR compliance requirements that your website must meet, when using cookies that process personal data of users inside the EU.
The European Data Protection Board (EDPB) is the highest supervisory body in charge of application and enforcement of the General Data Protection Regulation (GDPR) in the EU. The EDPB is comprised of representatives from the data protection authorities in each EU member state, and their main function is to adopt general guidelines and make decisions on how the GDPR is to be interpreted and enforced.
Try Cookiebot free for 30 days... or forever if you have a small website.
EDPB guidelines 05/2020 clarify that valid consent is a freely given, informed, specific and unambiguous indication of a user’s wishes. This means that your website must give users a real choice of consent between all different cookies and trackers, prior to their activation and personal data processing. Scrolling and continued browsing on websites is not valid consent and cookie banners are not allowed to have pre-ticked checkboxes.
First, you must know of all cookies and trackers in operation on your website, so that you can inform users of their type, purpose, duration and provider. Secondly, you must block all cookies (apart from necessary cookies) until the users have given their clear and affirmative consent to which they will allow activated. Thirdly, you must document all consents securely and renew them annually. Fourthly, you must make it as easy for the user to withdraw their consent as it was for them to give it in the first place.