European Data Protection Board Calls Out Adtech Industry Over Cookie Consent Practices

Written by: Charles R. Langhorne, IV, Esq.

As we continue to wait for the ePrivacy Regulation, the European Union is being left to govern cookie consent procedures on their own. Some individual member states are taking it upon themselves to issue guidance, while others sit back and wait. I wrote an article late last year outlining guidance issued by the United Kingdom’s ICO and France’s CNIL regarding cookie consent mechanisms, specifically, what is and is not considered valid consent under GDPR.

Now, in the latest effort to regulate cookie consent mechanisms, the European Data Protection Board (“EDPB”) has issued guidance that calls out the adtech industry for its underhanded consent collection practices as it relates to collecting personal data via cookies on websites. The guidance is updating guidance previously issued by the Article 29 Working Party (WP259.01) in April 2018. This new guidance denounces two practices in particular:

1. 1. 1. The use of take-it-or-leave-it “cookie walls” before entering a website; and

1. 1. 2. Collecting implicit consent from the user through the user’s continued browsing of a website.

This new guidance is in line with the ICO and CNIL guidances on these two points.

First, it makes it abundantly clear that putting up a “wall” that will not allow a user to view a website unless the user agrees to having cookies set “does not constitute valid consent” because it does not constitute freely given consent.

To explain the second point, the EDPB notes that using a cookie banner that says something to effect of “by continuing to browse our website you agree to our use of cookies” does not constitute valid consent under GDPR. This practice does not provide for the user to make a “clear and affirmative action” consenting to a website’s use of cookies, which is required under GDPR. In furtherance of this point, the guidance reiterates the need for valid consent to be “granular.” This means users must not only be given the opportunity to choose whether cookies are used, but also the choice of which processing actions are undertaken on their personal data. For example, that means a user must be given the opportunity to consent to cookies being used for reason A, but not for reason B.

Lastly, and possibly the most important implication of the EDPB, ICO, and CNIL guidances, is that no personal data can be collected by cookies until the user provides valid consent. This presents an operational hurdle to ensure that no webpage automatically collects cookies, even beyond a website’s homepage.

From the limited knowledge I have collected from my business and personal perusal of the internet, it seems many businesses, that are subject to GDPR, are not complying with this requirement. More often than not I am still seeing cookie banners that provide for implied consent from a user if they continue to browse the website.