Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.

In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018 (available here, which itself built upon the WP29 pre-GDPR interpretation of consent under Opinion 15/2011, dated 13 July 2011), taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).

GDPR and ePrivacy: A layered regulation of privacy in Europe

While GDPR has taken the world by storm, it was never meant to be the only tool to regulate data protection in Europe by 25 May 2018. That day was also the initial deadline to revise the framework of privacy in the online communication sector. Currently, this subset of data protection is governed by Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, dating back to 2002 (ePrivacy Directive). As with general data protection in a pre-GDPR era, the ePrivacy Directive has been implemented and interpreted differently by Member States. Its successor, the ePrivacy Regulation, would harmonize this sector … provided it gets adopted.

In that regard, the EDPB published a first Opinion 05/2019 on 12 March 2019 on the interplay between the ePrivacy Directive and GDPR, which highlighted the task and powers of the Member States’ Supervisory Authorities. Through such a call to action, some of these Supervisory Authorities seized the opportunity to provide their interpretation of such interplay (see the UK Information Commissioner’s Office’s (ICO) Guidance on the use of cookies and similar technologies dated 3 July 2019, as well as French Data Protection Authority’s draft Recommendation on the practical procedures for collecting the consent concerning operations of storing or gaining access to information in the terminal equipment of a user, dated 14 January 2020, implementing its own deliberation no.2019-093, dated 4 July 2019).

In both instances, the French and UK Supervisory Authorities reversed the position that, when required, consent to the use of cookies could be obtained through the use of so-called “soft opt-in,” or “cookie wall,” where continued browsing for information could be interpreted as valid consent.

Overturning the decades-long consensus shook industry players who are currently challenging the Supervisory Authorities positions.

The EDPB therefore revised its previous guidelines on two aspects:

• access to whole or part of an online service should not be denied if the user has not consented to the placement of cookies, as the lack of options would prevent such consent from being freely given; and
• where consent is required for the use of cookies, the “soft opt-in” tolerance may no longer be relied on as valid consent, as the lack of formal process would neither allow the determination of the unambiguous action of the user nor offer the possibility to withdraw or differ the consent.

Amidst this fragmenting playing field, the revised guidelines from the EDPB bring some welcome clarification while waiting for the ePrivacy Regulation.

Action items

All publishers whose websites and/or apps are accessible to a European audience should:

• Have a clear overview of all first- and third-party cookies used on their website;
• Assess which of these cookies are (i) strictly essential for the provision of the service, or (ii) nonessential. All analytics or geolocation should, by nature, be considered as nonessential;
• Ensure that no cookie is dropped on the user’s terminal prior to a first layer of information;
• This first layer of information could be a banner containing key information about (i) the identity of the publisher, (ii) the roles of the cookies, and (iii) the rights of the users;
• A second layer of information should provide more ample information, notably relating to the cookies’ lifespans. In that regard, having a dedicated cookie policy, separate from a privacy policy, is advised;
• When consent is required, include;
  • A graphic interface using neutral graphic designs;
  • Options not limited to (i) consenting or (ii) seeking more information, but also include (iii) refusal to consent and (iv) postponement of the decision;
  • Consent-gathering mechanism for each purpose; and
  • The possibility of users to withdraw their consent, which may require the deployment of a cookie-management interface;
• Access to the website should not be denied merely due to the user’s refusal to consent (either by not addressing the consent request or by refusal); and
• Document both the consent-gathering process and the actual consent-gathering action as part of GDPR’s accountability framework.

K&L Gates global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your online communication.

First Publication: K&L Gates with Natali Adison, Alessandra Feller, Noirin McFadden, Thomas Nietsch