There is no ‘cookie-cutter’ approach to obtaining consent…

On 4 May 2020, the European Data Protection Board (EDPB) issued guidance which acts as a helpful reminder of the standard of consent required under the General Data Protection Regulation 2016/679 (GDPR) (the “Guidance”).

Consent is one lawful basis on which a controller can rely to collect and process personal data. The GDPR requires consent to be “freely given, specific, informed and unambiguous” (the “consent requirements”), with the aim of putting the data subject in control of how their personal data is used.

What does the Guidance say?

Not only does the Guidance provide clarity on how to meet the four consent requirements, it also reiterates the need to capture adequate consent prior to setting website cookies.

The EDPB warns of scenarios where the control afforded to data subjects by the GDPR is in fact illusory, because the chosen consent mechanism fails to meet the consent requirements.

• Conditionality
  The Guidance makes it clear that consent will not be freely given if a data subject is required to provide consent in order to gain access to certain services or content. Where access is made conditional in this way, it is clear that the consent does not constitute genuine free choice – the data subject is incentivised to consent.
  
  The EDPB uses the example of a “cookie wall”, where a user is required to accept the use of non-essential cookies on their device before being allowed access to content.
  
  A user must be free to access a website or application’s full functionality, regardless of whether they have agreed to the use of non-essential cookies.

• Granularity
  The Guidance further explains that consent will not be deemed to be freely given if the consent request bundles together various purposes for which the personal data is processed.
  
  To provide true freedom of choice each processing purpose should be presented separately, with data subjects asked to provide consent for each.

• Detriment
  It must also be possible to show that there will not be any negative implications for a data subject if they do not provide their consent, or if they later withdraw their consent.
  
  To demonstrate an unacceptable detriment, the EDPB uses the example of a mobile app which works in a reduced way if a user does not consent to app-activity analysis.

The position conveyed by the Guidance is not new, however the EDPB has taken the opportunity to clarify the position with the aim of achieving consistency of approach across all European Union member states.

What does this mean for cookie consent mechanisms?

As a starting point, the EDPB has explicitly stated that a “cookie wall” which requires a user to accept non-essential cookies in order to access content, will fail to demonstrate the necessary freely given consent.

It is also clear that a standardised cookie banner, which contains a general request for consent to set cookies, will fail to capture freely given consent. The consent request should separately address each purpose for which cookies are used and allow data subjects to consent to some, all or none of the processing purposes.

There is not a one-size-fits-all approach. When implementing a cookie banner it is important to engage with the team or third party tasked with setting cookies on a website or application, to explore specifically what personal data is being captured and why.  

What about cookies that are strictly necessary for a website or application to operate?

The Privacy and Electronic Communications Regulations (PECR) operate alongside the GDPR and the Data Protection Act 2018 to govern the use of cookies on electronic devices. PECR provides an exemption for “strictly necessary” cookies. The exemption means that there is no requirement to obtain consent prior to setting a strictly necessary cookie.

That said, it is important to consider the following:

• Essential or just reasonably necessary?
  The “strictly necessary” exemption is a narrow one and will only apply where the use of the cookie is essential for something to function. A commonly used example is the cookies used by online retailers to allow a website to remember what items have been added to an online shopping basket.
  
  
• Essential for the services requested by the data subject?
  A common misconception is that a cookie can be considered strictly necessary if it is essential to provide a function intended by the controller setting the cookie. This is not the case, the cookie must be essential to deliver the services requested by the user.
  
  
• Transparency
  To comply with the requirements of the GDPR, controllers should still ensure that they communicate comprehensive information about the use of any strictly necessary cookies. One method of conveying this information is via a sufficiently detailed cookie policy.  

Takeaways

The EDPB has emphasised that it is the responsibility of those collecting personal data via cookies to innovate and create ways of prioritising the free choice of data subjects.

Where companies want to utilise cookies and other similar technologies to gain a better understanding of user and customer engagement, they will be required to move away from standardised consent mechanisms in order to achieve the required transparency and granularity.

In light of the recent increase in online activity and e-commerce, especially due to the social distancing measures in place, now is a great time for businesses to ensure that their online offering is fully compliant with applicable privacy legislation.

Can we help?

If you require any assistance in relation to your cookie consent mechanisms or cookie policies, please contact Hannah Pettit or the Data Protection Team.