In May of this year, the European Data Protection Board (EDPB) issued guidelines on consent under the General Data Protection Regulation (GDPR). Consistent with European practice (perhaps tradition at this point), the EDPB requires a high threshold to be met for adequate consent to process personal data. Among these requirements, per Article 4(11) of the GDPR, is that consent must be “freely given.” Consent must also be an “unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.”
Under the GDPR, an entity that determines how and why personal data is handled (i.e. a controller) must have a justification – or “lawful basis” – for processing data. Consent is just one of a handful of lawful bases that controllers can rely on. Other lawful bases include, for example, where processing of an individual’s personal data is necessary for the performance of a contract with that individual, or where the controller’s legitimate business interest in processing the personal data outweighs the individual’s fundamental rights and freedoms with respect to his or her data.
For the EDPB, the high consent threshold under the GDPR means (among other things) that consent should not typically be relied upon as the lawful basis to process data where the processing is necessary for the provision of services to the individual to whom the data relates, because the consent cannot be freely given in this context. The rationale is that, because of the “take it or leave it” nature of the request for consent, the data subject cannot really choose not to consent without foregoing the services altogether.
Additionally, consent can only be conveyed by a clear affirmative action, meaning a specific action that is distinguishable from incidental activity, such as a specific click accept or signature. Indeed, the EDPB has stated that “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”
As a result of the guidelines, we have seen immediate upheaval with respect to cookie banners. Cookies (as most readers know) are small text files that can be placed on a computer or mobile device to identify a user’s web browser and thereby the user’s website activities. Cookie banners are those banners of text on websites that provide notice that cookies are being deployed. Until recently, the prevailing practice had been to provide notice of the use of cookies along with an indication that by continuing to use the website, the user consents to all cookies.
In its recent guidelines, however, the EDPB has stated flatly that mere usage itself cannot constitute consent. This statement throws a monkey wrench into conventional cookie banner practice. The result is a still developing market correction with respect to what cookie banners are meant to accomplish, and what consents cookie banners should be soliciting.
We are beginning to see a new kind of cookie banner whereby consent is sought only for non-essential cookies – i.e. cookies that are not strictly necessary for the operation of the website, but that website operators would like to place. Classically, these non-essential cookies tend to be used for purposes like analytics and serving of advertising. Of course, because usage can never constitute consent under the recent guidelines, website operators must be able to avoid using these non-essential cookies unless and until the website visitor takes affirmative action to consent to the use of non-essential cookies, such as by clicking a box consenting to their usage.
But what about essential cookies – cookies that are necessary for the website to work at all? The emerging answer here appears to be that sites were barking up the wrong tree by seeking consent for essential cookies. If certain cookies are in fact essential for the website to work at all, then seeking consent is neither necessary nor, as the EDPB explains, appropriate. Analogously, the guidelines state that if “a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis.” As a result, website operators should look to other lawful bases for processing data in using necessary cookies. Frequently relied upon lawful bases in this context would include performance of a contract (in making the website available to the website visitor) or the website operator’s legitimate business interest.
The key takeaway here is that an update to your cookie banner is likely needed. Please feel free to reach out – we are happy to assist.
For more information, please contact Ryan Perry.