Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

EDPB guidelines on valid consent, compliance with Cookiebot

Published May 27, 2020.


The European Data Protection Board (EDPB) has adopted guidelines for GDPR compliance, clarifying what constitutes valid consent on websites and ruling the use of “cookie walls” illegal.

EDPB is the highest supervisory authority on the GDPR in the EU and their guidelines form the basis of enforcement by national data protection authorities in each EU member state.

In this article we explain the most important things for you to know about the EDPB guidelines, so you can make sure that your website is a safe and compliant space for users to visit.


Quick summary


EDPB guidelines in brief

On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines for GDPR compliance that clarify what constitutes valid consent for personal data processing in the EU, and confirm that the use of “cookie walls” as a way of obtaining consent is non-compliant.

These EDPB guidelines cement as a unified application of the GDPR what several national data protection authorities and the CJEU Planet49 ruling have independently ruled. Because EDPB’s guidelines direct how DPAs in each EU member state are to enforce the GDPR, it is very important to take notice of these.

Read the EDPB guidelines 05/2020 on valid consent here.

Test if your website is compliant with EDPB guidelines and GDPR for free.

Try Cookiebot free for 30 days... or forever if you have a small website.


EDPB guidelines on valid consent

For a consent to be valid according to the GDPR, it has to be:

EDPB clarifies in its guidelines that “an unambiguous indication of user consent” must be made with a clear and affirmative action by the user.

User actions such as scrolling or swiping through a website or similar user activity (also known as implied consent) do not meet the requirement for valid consent under the GDPR.

With the EDPB guidelines, this means that your website’s cookie banner is not allowed to state that continued browsing or scrolling on your domain will be considered a consent to the use of cookies that process personal data, as this is not a valid form of consent under the GDPR.

Instead, your website’s cookie banner must be interactive and the website must refrain from activating any cookies that collect personal data, until the user has selected which categories of cookies, they will allow to be in operation (known as prior consent).

The EDPB guidelines also clarify that the use of pre-ticked opt-in boxes is not GDPR compliant, as this does not live up to the “clear and affirmative action” requirement either.

Here, the EDPB guidelines complement the legal precedent made by the Court of Justice of the European Union (CJEU) in the case of Planet 49 in October 2019.

This CJEU decision ruled that pre-ticked boxes on cookie banners are not allowed, since they also don’t live up to the requirement that consent has to be a freely given, affirmative action.

Learn more about CJEU and the case of Planet49

Try Cookiebot for free today… or forever if you have a small website.



EDPB guidelines clarify GDPR compliance in EU.

EDPB guidelines clarify how the GDPR is to be interpreted and enforced in the EU.



EDPB guidelines on cookie walls

EDPB guidelines also clarify that a “cookie wall” is a non-compliant way of obtaining consent for websites.

Cookie walls work by making access to websites conditional on the user’s consent to the processing of their personal data, and the EDPB guidelines state very clearly that this does not constitute valid consent.

Since a cookie wall operates by forcing a consent from users to store cookies or accessing already stored cookies in exchange for access to services and functionalities, cookie walls as a way of obtaining consent does not live up to the GDPR requirement that a valid consent has to be freely given and on the basis of a genuine choice.

Want to know more about cookie walls?


What do the EDPB guidelines mean for my website?

The EDPB guidelines cement what has been the intention of the GDPR all along: to empower the users with real, enforceable rights over their own data and privacy.

In their guidelines on consent, the EDPB makes it very clear that any kind of attempt to avoid giving users real power over their own personal data (such as forcing consent or relying on poorly informed implied consents) will not be tolerated.

In other words, your website is not allowed to activate any cookies that process personal data unless the user has given their clear and affirmative consent to it.

For your website, this means –

If your website uses a consent solution that activates cookies on the basis of continued scrolling, clicking or browsing on your website (i.e. any other activity than direct, explicit interaction with the consent banner), uses pre-ticked checkboxes or cookie walls, you need to change this.

The EDPB guidelines form the basis for all GDPR enforcement on a national level by the respective data protection authorities in each EU member state, so if your website is operating from an EU country or if your website processes personal data on individuals from an EU country, you must be in compliance with the EDPB guidelines on GDPR compliance.


EDPB guidelines and GDPR compliance test

Not sure if your website lives up to GDPR requirements for lawful use of cookies and trackers? In doubt whether your domain meets the EDPB guidelines for valid consent?

Test whether your website is in compliance with the EDPB guidelines and GDPR requirements by using Cookiebot’s free compliance test.

Cookiebot performs a free scan of your website that detects all cookies and trackers in operation on your domain.

You might find that your website has many more cookies than you are aware of, since –

72% of cookies are secretly loaded by third-party trackers, making them almost impossible to detect without proper scanning technology.

18% of cookies on websites are trojan horses, i.e. trackers that load from as deep as within eight other cookies.

50% of all trojan horses will change between visits, so users risk having their personal data harvested by different third parties on your website, when they visit your domain again.

Source: Beyond the Front Page, a 2020 research paper on website cookies.

Test your website’s GDPR and EDPB guidelines compliance for free

Learn more about GDPR and cookie consent

Visit the EDPB’s website

Try Cookiebot for free today


Cookiebot and EDPB guidelines


Cookiebot is the world’s leading consent management platform that makes your website compliant with the all major data protection laws.

Cookiebot’s solution is plug and play with no need for manual implementation or on-site integration with your domain.

Simply implement Cookiebot from the cloud to protect the privacy of your users from third-party data abuse.

Cookiebot performs deep-scans of your entire website to detect all cookies and trackers in operation – even the hidden trojan horses – and auto-blocks everything until your users have given their prior consent, in full compliance with the GDPR.

Cookiebot’s consent solution is in full compliance with the EDPB guidelines on valid consent:




Cookiebot CMP enabling compliance with EDPB guidelines

Cookiebot’s interactive banner with granular consent in compliance with EDPB guidelines on GDPR.



Try Cookiebot free for 30 days… or forever if you have a small website.



Cookiebot CMP for GDPR and EDPB guidelines compliance



EDPB guidelines in detail


The EDPB guidelines 05/2020 on valid consent is a detailed 33-page document that was adopted on May 4, 2020.

In the rest of this article, we will take a closer look at each of the important sections of the EDPB guidelines that clarify valid consent under the GDPR:

Read the EDPB guidelines in full here.


Who is the EDPB?

The European Data Protection Board (EDPB) is the leading supervisory authority responsible for the consistent application of the General Data Protection Regulation (GDPR) in the EU.

EDPB was established with the passing of the GDPR into law in 2018 and is comprised of representatives from the national data protection authorities in each EU member state.

The EDPB’s job consists of adopting general guidelines and making decisions that clarify how the GDPR is supposed to be interpreted by websites, companies and organizations for full compliance.

EDPB guidelines and decisions are the cornerstone in the enforcement of the GDPR in EU member states, where each national data protection authority is responsible for the GDPR’s application.


Freely given consent


When obtaining consent from users to the activation of cookies that process personal data, your website must make sure that it is freely given – a cornerstone for valid consent in the GDPR.

If the user has no real choice, feels compelled to consent or will suffer negative consequences if they do not consent (such as lowered services or access denied), then the consent will not be valid.

Your website is not allowed to bundle consent, i.e. if consent is presented as a non-negotiable part of terms and conditions, it is presumed not to have been freely given.

Accordingly, consent will not be considered to be valid if the user is unable to refuse or withdraw consent without consequences (such as lowered quality of services or access denial).


Conditonality of consent


As briefly touched upon above, to bundle consents is not compliant, the EDPB guidelines clarify.

To make consent conditional to e.g. acceptance of terms or conditions, or the performance of a service to which the personal data processed by cookies and trackers is not necessary, is considered an invalid form of consent.

The GDPR contains six legal bases for the processing of personal data, of which the first is with the consent of the user and the second is for the performance of a contract.

EDPB guidelines make it very clear that these two legal bases cannot be merged or blurred, i.e. if your website relies on user consent for the use of cookies and trackers that process personal data, this consent cannot be conditioned on the performance of a service that does not need the personal data to be performed (see GDPR article 7, 4 for more on this).

This is the part of the EDPB guidelines that effectively rules out the use of cookie walls as a compliant form of obtaining consent, since a forced consent is not freely given (read: valid).

Compulsion to agree to non-necessary personal data collection stand in the way of free consent, the EDPB guidelines clarify.

Learn more about cookie walls here


Granular consent


Most websites in the world have a lot of different cookies in operation, each one collecting different data for different purposes by different providers.

The EDPB guidelines clarify that if your website processes personal data for more than one purpose, users must be able to freely choose which purpose they accept – rather than having to consent to a bundle of processing purposes.

This means for your website that you must know all cookies and their different purposes, and offer users the possibility of selecting the activation of some cookies and not others, also known as granular consent.



Cookiebot and EDPB guidelines compliance.

Granular consent by Cookiebot in full compliance with EDPB guidelines 05/2020.



Specific consent


Valid consent, the EDPB guidelines clarify, must be specific, i.e. clear determination of a specific, explicit and legitimate purpose for the intended processing activity.

To comply with the GDPR requirement for a consent to be specific, your website must ensure –

  1. Purpose specification as a safeguard against function creep (i.e. that personal data is used for multiple purposes without the specific consent of the user for each purpose).
  2. Granularity in consent requests
  3. Clear separation of information related to obtaining consent for data processing activities from information about other matters


Informed consent


EDPB guidelines clarify that valid consent must be informed, i.e. users must know and understand what they are consenting to.

Your website must live up to these minimum content requirements for consent to be informed –

  1. You and your website’s identity,
  2. Purpose of each of the processing operations for which consent is sought on your website,
  3. What type of data will be collected and used on your website,
  4. The existence of the right to withdraw consent,
  5. Information about the use of the data for automated decision-making,
  6. The possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.

Your information to your users must be written in clear and plain language and be easily understandable for the average person (and not only for lawyers).



EDPB guidelines clarify GDPR compliance. Try Cookiebot for free.

Cookiebot’s cookie banner with clear and easy-to-understand text compliance with the EDPB guidelines on informed consent.




Withdrawal of consent


If your website relies on consent for personal data processing done by the use of cookies and trackers, you must be prepared to respect users’ choices to withdraw that consent. This is a GDPR requirement.

Users must be able to withdraw their consent just as easily as they gave it. It is actually a condition for the validity of a consent that the user has an equally easy way of withdrawing it afterwards.

Users must be able to withdraw their consent freely and without consequences, such as having their access to a website denied or experience a lowering of services.

All personal data processing that took place after the user consented and before the withdrawal of the consent is lawful.


Additional conditions for obtaining valid consent


The burden of proof to demonstrate user consent for personal data processing is on the website owner and/or operator.

This means that you will need to be able to demonstrate that the user has given consent to your website setting cookies and trackers that collect personal data. Documentation of consent must be securely stored.

EDPB recommends as best practice that consents should be refreshed at appropriate intervals.


Data subject's rights


Lastly, remember that your users have GDPR secured rights that you must always respect in order to be compliant.

They are –


Cookiebot and GDPR compliance


Cookiebot’s consent management platform takes care of all the GDPR compliance requirements that your website must meet, when using cookies that process personal data of users inside the EU.

Cookiebot

Learn more about GDPR compliance

See Cookiebot’s features

See Cookiebot’s pricing plans

Take Cookiebot’s free GDPR compliance test

Try Cookiebot for free today


FAQ


What is the EDPB?

The European Data Protection Board (EDPB) is the highest supervisory body in charge of application and enforcement of the General Data Protection Regulation (GDPR) in the EU. The EDPB is comprised of representatives from the data protection authorities in each EU member state, and their main function is to adopt general guidelines and make decisions on how the GDPR is to be interpreted and enforced.

Try Cookiebot free for 30 days... or forever if you have a small website.


What do the EDPB guidelines say?

The EDPB guidelines on valid consent from May 2020 clarify what constitutes valid consent, when relying on user consent for the processing of personal data, e.g. through the use of cookies and trackers on websites. The EDPB guidelines rules out the use of cookie walls (forced consent) and specifies what websites must do in order to obtain a valid consent to the processing of personal data.

Test your website's compliance with Cookiebot's free GDPR compliance test


What is valid consent according to the EDPB?

EDPB guidelines 05/2020 clarify that valid consent is a freely given, informed, specific and unambiguous indication of a user’s wishes. This means that your website must give users a real choice of consent between all different cookies and trackers, prior to their activation and personal data processing. Scrolling and continued browsing on websites is not valid consent and cookie banners are not allowed to have pre-ticked checkboxes.

Learn more about GDPR compliance with Cookiebot


How can my website become GDPR compliant?

First, you must know of all cookies and trackers in operation on your website, so that you can inform users of their type, purpose, duration and provider. Secondly, you must block all cookies (apart from necessary cookies) until the users have given their clear and affirmative consent to which they will allow activated. Thirdly, you must document all consents securely and renew them annually. Fourthly, you must make it as easy for the user to withdraw their consent as it was for them to give it in the first place.

Read more about GDPR and cookie consent.


Resources


European Data Protection Board (EDPB)

EDPB guidelines 05/2020 on valid consent

What is the GDPR?

GDPR and cookie consent

Beyond the Front Page, a 2020 research paper of website cookies and tracking

Make your website’s use of cookies and online tracking compliant today

Try for free