July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

EDPB Issues Updated Consent Guidelines While German Federal Supreme Court Follows Planet49 Decision

EDPB says that cookie walls require a tracking-free alternative (not necessarily free of charge) – and the German Federal Supreme Court rules against opt-out consent for tracking cookies under German law 

Introduction

In 2019, various EU member states issued guidance as to whether opt-in consent is necessary for non-essential cookies, with some guidance suggesting opt-in consent was required and other guidance noting it was unnecessary – at least in certain situations. As a result, some organizations struggle to understand the steps they must take to ensure their use of non-essential cookies (i.e., cookies and similar tracking technologies that are not strictly necessary for a website to function in the way the site visitor reasonably expects) complies with the applicable law. In May 2020 the European Data Protection Board (EDPB) and the German Federal Supreme Court provided further clarification on this topic.

On May 28, the German Federal Supreme Court held that opt-out consent for cookies used for the creation of user profiles for advertising purposes will not be considered effective. Relying on the European Court of Justice’s October 2019 Planet49 decision that a pre-ticked box would not constitute valid consent under the General Data Protection Regulation (GDPR), the German Court ended any future reliance on a provision in the German Telemedia Act, which was largely interpreted as allowing for opt-out consent.

EDPB Consent-Related Questions

Earlier In May, the EDPB adopted ‘Guidelines 05/2020 on consent under Regulation 2016/679’, updating its earlier-approved guidelines and providing practical guidance in relation to what constitutes proper consent. These Guidelines offer some clarity as to satisfying consent standards when users access website services.

The EDPB identified the need for clarification on the following two questions:

  1. Is it possible for an individual to validly consent when confronted with a so-called “cookie wall”?
  2. Can valid consent be expressed by simply continuing to browse / use the website?

While the EDPB answered both questions in the negative, there are exceptions to this strict interpretation.

ePrivacy and Standards of Consent

The need for consent for the use of non-essential website cookies derives from the so-called “ePrivacy Directive.” The Directive, which each EU Member State has implemented into national law, sets forth that storing or accessing information on a user’s equipment is only allowed on the condition that the user receives sufficient notice and provides consent to such activity.

The standard of “consent” needed for ePrivacy purposes is the same as is required by the GDPR’s definition of consent, meaning it must be a freely given, specific, informed, and unambiguous indication of a data subject’s intent to agree by a statement or clear affirmative action to that effect. It is the data controller’s responsibility to be able to demonstrate that consent was validly gained, and failure to prove valid consent can result in fines. Since May 2018, when the GDPR started to be enforced, non-compliant cookie consent is of greater concern to organizations since the potential fines under the GDPR far exceed those previously faced by organizations under member states ePrivacy laws.

KEY EDPB FINDINGS

Consent Is Not Freely Given with Cookie Walls

In the Guidelines, the EDPB expressly states that with “cookie walls” – the practice whereby access to a website’s content is blocked and made conditional on the user consenting to the storing/accessing of cookies on the user’s browser – consent is not truly freely given and therefore is not valid (Guidelines at para. 39).

The EDPB’s opinion on cookie walls is limited in the following two ways:

  • First, it does not apply to cookies for which consent is not required (e.g., those which are strictly necessary for the provision of the service).
  • Second, it only applies if there is no other option to access content behind the cookie wall – meaning a data subject cannot access the information on that specific website in any other way unless the data subject provides consent. The EDPB acknowledges that consent may be valid if and as long as the same organization offers two genuinely equivalent services, allowing the user to choose between the one which processes personal data for additional purposes (while requiring the user’s consent), and the other, available without such additional processing (without requiring consent).

This could be interpreted to mean that cookie walls may be acceptable if a paid but tracking-free version of the service is offered. This view is expressly supported by the German Federal Data Protection Supervisor in his comment to the Guidelines, in which he suggested that “privacy-friendly alternatives” to all-or-nothing consent approaches may avoid violation of the GDPR.

Continued Browsing Does Not Constitute Consent

The EDPB also notes that a data subject’s mere continued browsing is not enough to constitute consent because whereas physical motions may be explicitly determined to signify consent, merely continuing the ordinary use of a website does not, since such actions are difficult to distinguish (Guidelines at para. 86).

What may be enough, as the Spanish data protection authority elaborated in its guidelines on cookies, is to attribute a meaning to specific positive user actions if such interpretation is unambiguously and clearly explained to the user beforehand (e.g., if you send us an email or if you click on specific content of our website, this may be deemed consent to our use of tracking tools).

It should, however, be noted that withdrawal of consent should in any case (i) be possible without detriment for the user (e.g., a service downgrade), and (ii) be as easy to effectuate as it was to provide consent.

Refreshed Consent Required

Whereas the law does not specify the duration for which a data subject’s consent will last, the EDPB requires that consent should be refreshed in “appropriate intervals” in light of the context, the scope of the original consent, and the expectations of the data subject (Guidelines at para. 110).

Demonstrating Valid Consent

When designing processes for obtaining consent, organizations should consider their accountability obligations in demonstrating compliance with the requirements under the GDPR. In the online context, the EDPB points out that organizations should consider retaining:

  • information on the session in which consent was expressed together with documentation of the consent workflow at the time; and

  • a copy of the information presented to the user.

Final Note

Although the Guidelines are not binding, the Guidelines and the German ruling will enhance the uniform interpretation of consent for ePrivacy and GDPR purposes. Grey areas remain and may be addressed in future rulings and with the eventual adoption of an ePrivacy Regulation, which currently continues working through the EU legislative process.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 154

TRENDING LEGAL ANALYSIS


About this Author

Dr. Johanna Hofmann Data Security Lawyer Greenberg Traurig Law Firm Germany
Associate

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and international level. Her field of interest lays in particular in the field of cloud computing, data protection certification and data security management. Through long-term secondments at a German group of companies and at the German subsidiary of a US-American technology group, Johanna has gained deep insights...

49 30.700.171.291
Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.

Concentrations

  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development

  • COPPA, HIPAA, TCPA PCI-DSS, CAN-SPAM

  • Privacy and security gap assessments

415.655.1319
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney
Counsel

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

490-30700-171119
Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.

415-655-1261