GDPR Update: Cookies, new consent guidance and what’s on the horizon

As the General Data Protection Regulation (GDPR) approaches its second anniversary, organizations are eagerly awaiting a report by the European Commissioner – set to be released on May 25th – evaluating the law’s progress. Why so much interest? The report could potentially be a springboard for changes or reforms.

Nearly two years on, the marketing community is still adapting to the law’s ambiguities, particularly in relation to consent and cookies. Here are the latest updates, and their implications for Canadian organizations.

Continued delay of the ePrivacy regulation

Since the GDPR came into force on May 25, 2018, marketers have been waiting for the new ePrivacy Regulation (set to replace the current ePrivacy Directive), a companion regulation to the GDPR covering the processing of personal information for electronic communication, including cookie usage.

The current ePrivacy Directive specifies that users must give opt-in consent before cookies are used, with a limited exception for ‘strictly necessary’ cookies. By contrast, under Canadian privacy rules, opt-out consent is considered reasonable if certain conditions are met.

Once adopted, the ePrivacy Regulation will apply uniformly across the EU. By contrast, the existing ePrivacy Directive is only enforced by EU member states who have incorporated it into national law. This fragmented landscape has led to discrepancies in interpretations among the privacy regulators of EU member states – known as the national Data Protection Authorities (DPAs) – on what constitutes “valid” consent, especially when it comes to the use of cookies. As European legislators struggle to reach a consensus, (a draft of the ePrivacy Regulation was voted down in late 2019), implementation of the new regulation could be at least a year off.

Updated guidelines around online consent provide further clarity

On May 6th, the European Data Protection Board (EDPB) updated its guidelines on the rules around online consent. The guidance is intended to ensure a more uniform interpretation of the law by DPAs. The guidelines also provide an indication of the trajectory of cookie regulation as we wait for the ePrivacy Regulation.

Here’s a quick refresher on consent under the GDPR: Consent is one of the six legal bases for organizations to process personal information under the GDPR. For consent to be valid, it must meet certain requirements. It needs to be “freely given, specific, informed and unambiguous”, and individuals must have an opportunity to state their wishes through a statement or clear and affirmative action prior to the collection and processing of their personal data.

If you work for a Canadian organization whose websites or apps are accessible to a European audience, the updated guidelines contain two key clarifications you should be aware of.

“Cookie walls” not considered valid consent
The guidance specifies that you shouldn’t make access to your website’s content dependent on visitors agreeing that you can process their data via a cookie consent wall. Instead of instructing visitors to agree to your terms in order to view the content, you need to offer them a genuine (and therefore “freely given”) choice to either accept or deny cookies. They should have the option to reject cookies and still be able to access the website, unless the cookies are strictly necessary. 

“Scrolling” not considered valid consent
The guidance states that: “actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.” If a user is scrolling on your website or digital service, you can’t interpret this as consent because it’s not “unambiguous”. To make that point clear, the EDPB outlined the opposite affirmative action. If scrolling down on a page could be considered a signal of consent, could it then be withdrawn by scrolling up? The answer is no: it’s just random online activity.

What does this mean for compliance?

The EDPB guidance follows a decision in late 2019 by Europe’s highest court, which concluded that organizations can’t rely on pre-checked consent boxes for dropping non-essential cookies, including tracking cookies for targeted advertising. The Court ruled that for consent to be valid, it must be obtained prior to storing or accessing non-essential cookies. Since national courts and DPAs across the EU will need to follow the Court’s interpretation in their own rulings, and given GDPR fines can scale as high as €20M or 4% of global annual turnover, many organizations have already made changes to their cookie policies.

This court decision, coupled with the recent EDPB guidance, are likely to influence the ongoing reform of ePrivacy rules. When it comes to dealing with EU data subjects, forward-looking companies should weigh the risks of non-compliance against the benefits of rethinking their overall cookie strategies.

At the same time, industry continues to raise its voice with EU policymakers to champion a balanced approach, one that supports healthy data-exchange and provides consumers with the relevance and personalization they want and need.

The CMA is committed to keeping you updated as developments occur, so check out our website.