Clarifications under the EDPB Guidelines
5 steps to review your cookie practices
- Cookie Walls: The term “Cookie Walls” refers to the practice of denying the partial or complete use of a website without the user’s acceptance of cookies, including non-essential cookies. It removes any choice of the user to deny marketing-based cookies while still using the website as intended. In practice, an organization may place a script that blocks content from being visible until a user accepts the use of all cookies. The new guidelines have clarified that this is in violation of the GDPR as the consent is conditional – that is, the organization only allows the user to visit their website under the condition that the user accepts all cookies. This practice renders consent invalid as the user is not presented with adequate choice.
- Unambiguous Indication of Wishes: The phrase “unambiguous indication of wishes” is defined by a “clear affirmative act, signifying agreement to the processing of personal data” in relation to an individual. For example, by actively ticking the pop-up box confirming, “I consent,” the user is able to provide a “clear affirmative act” to the use of their personal data. However, the new guidelines place restrictions on the use of affirmative consent via the method of “scrolling consent.” That is, scrolling through pages of a pop-up box defeats the purpose of informed and unambiguous consent because the user may scroll through the confirmation-box unintentionally, rendering their consent inadequate.
- Click Fatigue: The term “click fatigue” reflects the fatigue a user feels when presented with multiple consent requests upon visiting a website. Here, the guidelines address the diminishing effect of consent as users, in practice, are not transparently informed of the collection and use or sharing or their data. In this case, the organization is responsible for minimizing user confusion when designing their process to obtain meaningful, valid consent.
The threat of hefty fines and further legal guidance in a market already adapting to change is daunting. But there are leading practices to address these risks that can improve the user experience and enhance privacy rights. Take these five steps to review your cookie practices and passive collection of data in light of the recent EDPB guidance:
- Evaluate your approach: If your organization relies on the collection of individual user cookies, you should disclose the use of non-essential cookies, such as analytics or advertising cookies, on your site and provide individuals with the opportunity to opt-out.
- Increase transparency of information handling: Provide clear and accurate communication to individuals to help them understand the different types of cookies collected, how they are processed, and how to opt out from the organization collecting their data.
- Develop robust documentation of cookies activities: Develop an inventory of all cookies that are in use and work with the owners of those relationships to enhance data processing restrictions, where possible. Regularly audit these processes to ensure continued adherence to the stated relationship and sharing of data.
- Look to automation: In an increasingly digital world, organizations may consider automation and centralizing their consent management process. Tools exist that will track, find and simplify the management process of cookies across your websites. This may support audit functionality and create real-time insights into data sharing and marketing practices.
- Balance business needs and individual consent: In building future-state operating models, embed privacy considerations proactively rather than reactively into your strategy. Balancing privacy principles against revenue-generating operations can be challenging. However, as we observe real-world cases and new regulatory guidelines, innovation with a focus on privacy is fundamental to your compliance and innovation journey.
This move from the EDPB is a further indication that privacy and digital marketing practices need to evolve together despite the inevitable growing pains. DPAs expect that organizations be transparent and forthcoming when obtaining consent and tracking cookies. While these guidelines are specific to organizations collecting EU user data, how long will it take for US states or a federal regulation to actively join the conversation and begin requiring the similar level of cookie consent? It may be time to revisit your cookie practices to meet a higher standard of transparency and consent.