September 24, 2022

Volume XII, Number 267


September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis

September 21, 2022

Subscribe to Latest Legal News and Analysis

EU Data Protection: Updated EDPB Guidance on Consent Clarifies the Mechanism for Cookie Consent

Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.

In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018, [1] taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).

GDPR and ePrivacy: A Layered Regulation of Privacy in Europe

While GDPR has taken the world by storm, it was never meant to be the only tool to regulate data protection in Europe by 25 May 2018. That day was also the initial deadline to revise the framework of privacy in the online communication sector. Currently, this subset of data protection is governed by Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, dating back to 2002 (ePrivacy Directive). As with general data protection in a pre-GDPR era, the ePrivacy Directive has been implemented and interpreted differently by Member States. Its successor, the ePrivacy Regulation, would harmonize this sector...provided it gets adopted.

In that regard, the EDPB published a first Opinion 05/2019 on 12 March 2019 on the interplay between the ePrivacy Directive and GDPR, which highlighted the task and powers of the Member States’ Supervisory Authorities. Through such a call to action, some of these Supervisory Authorities seized the opportunity to provide their interpretation of such interplay (see the UK Information Commissioner’s Office’s (ICO) Guidance on the use of cookies and similar technologies dated 3 July 2019, as well as French Data Protection Authority’s draft Recommendation on the practical procedures for collecting the consent concerning operations of storing or gaining access to information in the terminal equipment of a user, dated 14 January 2020, implementing its own deliberation no.2019-093, dated 4 July 2019).

In both instances, the French and UK Supervisory Authorities reversed the position that, when required, consent to the use of cookies could be obtained through the use of so-called “soft opt-in,” or “cookie wall,” where continued browsing for information could be interpreted as valid consent.

Overturning the decades-long consensus shook industry players who are currently challenging the Supervisory Authorities positions.

The EDPB therefore revised its previous guidelines on two aspects:

  • access to whole or part of an online service should not be denied if the user has not consented to the placement of cookies, as the lack of options would prevent such consent from being freely given; and

  • where consent is required for the use of cookies, the “soft opt-in” tolerance may no longer be relied on as valid consent, as the lack of formal process would neither allow the determination of the unambiguous action of the user nor offer the possibility to withdraw or differ the consent.

Amidst this fragmenting playing field, the revised guidelines from the EDPB bring some welcome clarification while waiting for the ePrivacy Regulation.

Action Items

All publishers whose websites and/or apps are accessible to a European audience should:

  • Have a clear overview of all first- and third-party cookies used on their website;

  • Assess which of these cookies are (i) strictly essential for the provision of the service, or (ii) nonessential. All analytics or geolocation should, by nature, be considered as nonessential;

  • Ensure that no cookie is dropped on the user’s terminal prior to a first layer of information;

    • This first layer of information could be a banner containing key information about (i) the identity of the publisher, (ii) the roles of the cookies, and (iii) the rights of the users;

    • A second layer of information should provide more ample information, notably relating to the cookies’ lifespans. In that regard, having a dedicated cookie policy, separate from a privacy policy, is advised;

  • When consent is required, include;

    • A graphic interface using neutral graphic designs;

    • Options not limited to (i) consenting or (ii) seeking more information but also (iii) refusal to consent and (iv) postponement of the decision;

    • Consent-gathering mechanism for each purpose; and

    • The possibility for users to withdraw their consent, which may require the deployment of a cookie-management interface;

  • Not deny access to the website merely due to the user’s refusal to consent (either by not addressing the consent request or by refusal); and

  • Document both the consent-gathering process and the actual consent-gathering action as part of GDPR’s accountability framework.

[1] Available here, which itself built upon the WP29 pre-GDPR interpretation of consent under Opinion 15/2011, dated 13 July 2011.

Copyright 2022 K & L GatesNational Law Review, Volume X, Number 132

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

Natali Adison Corporate Attorney K&L Gates Brussels, Belgium
Junior Attorney

Natali Adison is an attorney at the firm’s Brussels office. She is a member of the corporate/M&A and commercial technology and sourcing practice group.

Her practice relies on extensive experience in understanding the fast moving environment of corporations and their technological and structural processes, allowing her to provide innovative advice on a wide range of complex commercial contracts and transactions of the firm’s clients, during all stages of their growth.

Natali is an experienced litigator, she advises clients active in the technology, retail, healthcare and...

Alessandra Feller, KL Gates, Milan, information technology lawyer, industrial and intellectual property attorney

Alessandra Feller is an associate in the firm’s Milan office. She concentrates her practice on corporate law, information technology, industrial and intellectual property. 

She also acquired extensive experience in assisting Italian and foreign clients on commercial agreements, especially in the software industry.

Noirin M. McFadden, KLGates, trade mark licensing lawyer, distribution agreements attorney

Nóirín McFadden is an associate in the firm’s London office. She concentrates her practice on Intellectual Property, Technology and Commercial matters. Nóirín has experience in data and trade mark licensing and in distribution agreements and has also worked on a range of technology matters including software licensing and online agreements. Nóirín advises on wide-ranging data protection issues, including data transfers.

Dr Thomas Nietsch Cybersecurity Attorney K&L Gates Law Firm

Thomas Nietsch is an associate in the K&L Gates Berlin office focused on IT, data protection, e-commerce and open source software law. He works with big data, block chain, cloud computing and other digital economy business models and advises clients in technology M&A transactions, negotiation of complex IT and software licensing and cooperation agreements, data protection compliance matters and data use and sharing structure.

+49 0