EDPB draws tougher line on cookies, consent

Now is the time to revisit your cookie practices

Terms and conditions On May 4, 2020, the European Data Protection Board (EDPB), the governing body for the General Data Protection Regulation (GDPR), published guidelines on consent acquisition with additional clarification and restriction on the use of cookies. Although the guidelines are not law themselves, they are intended to shape national law, with member states determining enforcement.

Given the number of digital complexities organizations must manage today, from shifting to a work-from-home environment to increased online traffic, there is heightened focus on digital marketing practices. Many organizations rely heavily on the use of cookies to increase their digital footprint and learn their consumers’ behavior. These cookie practices have come under increased scrutiny, forcing organizations to adapt a more privacy-centric digital strategy. Understanding the new EDPB guidelines is important.

Clarifications under the EDPB Guidelines
  • Cookie Walls: The term “Cookie Walls” refers to the practice of denying the partial or complete use of a website without the user’s acceptance of cookies, including non-essential cookies. It removes any choice of the user to deny marketing-based cookies while still using the website as intended. In practice, an organization may place a script that blocks content from being visible until a user accepts the use of all cookies. The new guidelines have clarified that this is in violation of the GDPR as the consent is conditional – that is, the organization only allows the user to visit their website under the condition that the user accepts all cookies. This practice renders consent invalid as the user is not presented with adequate choice.
  • Unambiguous Indication of Wishes: The phrase “unambiguous indication of wishes” is defined by a “clear affirmative act, signifying agreement to the processing of personal data” in relation to an individual. For example, by actively ticking the pop-up box confirming, “I consent,” the user is able to provide a “clear affirmative act” to the use of their personal data. However, the new guidelines place restrictions on the use of affirmative consent via the method of “scrolling consent.” That is, scrolling through pages of a pop-up box defeats the purpose of informed and unambiguous consent because the user may scroll through the confirmation-box unintentionally, rendering their consent inadequate.
  • Click Fatigue: The term “click fatigue” reflects the fatigue a user feels when presented with multiple consent requests upon visiting a website. Here, the guidelines address the diminishing effect of consent as users, in practice, are not transparently informed of the collection and use or sharing or their data. In this case, the organization is responsible for minimizing user confusion when designing their process to obtain meaningful, valid consent.

5 steps to review your cookie practices The threat of hefty fines and further legal guidance in a market already adapting to change is daunting. But there are leading practices to address these risks that can improve the user experience and enhance privacy rights. Take these five steps to review your cookie practices and passive collection of data in light of the recent EDPB guidance:

  1. Evaluate your approach: If your organization relies on the collection of individual user cookies, you should disclose the use of non-essential cookies, such as analytics or advertising cookies, on your site and provide individuals with the opportunity to opt-out.
  2. Increase transparency of information handling: Provide clear and accurate communication to individuals to help them understand the different types of cookies collected, how they are processed, and how to opt out from the organization collecting their data.
  3. Develop robust documentation of cookies activities: Develop an inventory of all cookies that are in use and work with the owners of those relationships to enhance data processing restrictions, where possible. Regularly audit these processes to ensure continued adherence to the stated relationship and sharing of data.
  4. Look to automation: In an increasingly digital world, organizations may consider automation and centralizing their consent management process. Tools exist that will track, find and simplify the management process of cookies across your websites. This may support audit functionality and create real-time insights into data sharing and marketing practices.
  5. Balance business needs and individual consent: In building future-state operating models, embed privacy considerations proactively rather than reactively into your strategy. Balancing privacy principles against revenue-generating operations can be challenging. However, as we observe real-world cases and new regulatory guidelines, innovation with a focus on privacy is fundamental to your compliance and innovation journey.

What’s next? Despite the failure of the ePrivacy Regulation last fall, Data Protection Authorities (DPAs) have been launching their own initiatives and levying fines against organizations due to cookie activities that are inconsistent with privacy requirements under GDPR. In 2019, the European Court of Justice held in the Planet49 case that the use of cookies requires active consent. In early 2020, both France and Ireland weighed in on the use of cookies. France’s DPA launched the Consultation on Cookies, with their own recommendations for consent and the use of cookies and tracers. Ireland’s DPA released new guidance on the use of cookies and have indicated that enforcement actions will begin in October 2020. Regardless of the absence of defined and consistent regulation, cookies continue to be a target for misuse and fines.

This move from the EDPB is a further indication that privacy and digital marketing practices need to evolve together despite the inevitable growing pains. DPAs expect that organizations be transparent and forthcoming when obtaining consent and tracking cookies. While these guidelines are specific to organizations collecting EU user data, how long will it take for US states or a federal regulation to actively join the conversation and begin requiring the similar level of cookie consent? It may be time to revisit your cookie practices to meet a higher standard of transparency and consent.

Lindsay Hohler
Cyber Risk

Ariana Davis
Senior Manager
Cyber Risk

Eric Paulson
Cyber Risk