12 May European Data Protection Board Calls Out Adtech Industry Over Cookie Consent Practices
Written by: Charles R. Langhorne, IV, Esq.
As we continue to wait for the ePrivacy Regulation, the European Union is being left to govern cookie consent procedures on their own. Some individual member states are taking it upon themselves to issue guidance, while others sit back and wait. I wrote an article late last year outlining guidance issued by the United Kingdom’s ICO and France’s CNIL regarding cookie consent mechanisms, specifically, what is and is not considered valid consent under GDPR.
Now, in the latest effort to regulate cookie consent mechanisms, the European Data Protection Board (“EDPB”) has issued guidance that calls out the adtech industry for its underhanded consent collection practices as it relates to collecting personal data via cookies on websites. The guidance is updating guidance previously issued by the Article 29 Working Party (WP259.01) in April 2018. This new guidance denounces two practices in particular:
- The use of take-it-or-leave-it “cookie walls” before entering a website; and
- Collecting implicit consent from the user through the user’s continued browsing of a website.
This new guidance is in line with the ICO and CNIL guidances on these two points.
First, it makes it abundantly clear that putting up a “wall” that will not allow a user to view a website unless the user agrees to having cookies set “does not constitute valid consent” because it does not constitute freely given consent.
Lastly, and possibly the most important implication of the EDPB, ICO, and CNIL guidances, is that no personal data can be collected by cookies until the user provides valid consent. This presents an operational hurdle to ensure that no webpage automatically collects cookies, even beyond a website’s homepage.
From the limited knowledge I have collected from my business and personal perusal of the internet, it seems many businesses, that are subject to GDPR, are not complying with this requirement. More often than not I am still seeing cookie banners that provide for implied consent from a user if they continue to browse the website.