The European data protection board clarifies its position in a new set of guidelines

Published in DALLOZ ACTUALITES on May 15, 2020.

In its guidelines dated 4 May 2020, the European Data Protection Board (EPDB), which gathers the regulatory authorities of all Member States, provided clarification in order to unify practices regarding the use of cookies within the European Union.

Although highly solicited in the context of the Covid-19 pandemic, particularly with regard to mobile contact tracing apps, the EDPB has not been neglecting other work in progress, as evidenced by the adoption of guidelines 05/2020 on consent, which constitute a slightly modified version of those adopted on 10 April 2018 (WP259). This new set of guidelines respond to a need to clarify a matter of paramount importance for online editors and content providers: the user consent to the use of cookies on his or her terminal equipment.

Two issues in particular retained the attention of the EDPB, both in relation to the validity of consent, either in the presence of a “cookie wall” or when user keeps browsing/scrolling on a webpage.

Apart from the EDPB (I), some national authorities have already expressed their views on these common but nevertheless contested practices, such as the French regulatory authority, i.e. the CNIL (II), while the e-privacy regulation is still under discussion (III).

I.     THE EDPB REAFFIRMS CONSENT REQUIREMENTS FOR COOKIES

This revised version of the guidelines does not illustrate a shift regarding the EDPB’s views on cookies, but only aims at making more explicit a position they had already taken back in the 2018 guidelines with respect to the need to obtain a real consent, notably free and unambiguous, for the use of cookies.

Firstly, with regard to “cookie walls”[1], i.e. banners that prevent users from accessing the desired service unless they give consent to all cookies, including those for advertising purposes, the EDPB states that

“in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user”[2],

a principle it had already laid out in a “Statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications” published on 25 May 2018.

Thus, making access to a site dependent on clicking on a “Accept Cookies” button shall be prohibited as it does not present any option to the user, who is obliged to click if he or she wishes to keep browsing. It should be recalled in this respect that Article 7.4 of the RGPD ensures that “the purpose of processing personal data shall not be associated (…) with the provision of a contract or service for which such personal data are not necessary“[3]. In other words, making the provision of a service conditional on the collection of data that is not required for such provision is an obstacle to obtaining a valid consent.

Secondly, the EDPB maintains his refusal to consider actions such a scrolling or swiping through a web page as a clear and unambiguous indication of the data subject’s wishes, allowing for the deposit of cookies on his or her terminal equipment, notably because in that case, it would be difficult to allow the user to withdraw consent as easily as it has been granted.

However, the EDPB doctrine, which has now been clarified, remains unchanged and will inevitably force all online editors and content providers, whose business model relies heavily on personalized advertising through the mass use of non-functional cookies, to renew their practices, failing which they shall expose themselves to severe financial penalties. Consequently, a reconsideration of the gratuity of online services currently financed by targeted advertising revenues (social networks, email services, etc.) seems inevitable in the medium term.

II.     CONFLICTING POSITIONS AMONG THE MEMBER STATES

On 4 July 2019, the CNIL has adopted guidelines in which it strictly prohibits any use of cookies “as long as the user has not previously expressed will his or her wishes, in a freely, specific, informed and unambiguous way, by a statement or a clear affirmative action“.

Regarding the two above mentioned, the analyses of the CNIL and the EDPB are strictly identical:

o   on the one hand, “the practice of blocking access to a website or mobile application for those who do not consent to be tracked (“cookie walls”) does not comply with the GDPR“[4]; and
o   on the other hand, “browsing or scrolling through a website or mobile application does not constitute a positive action that can regarded as valid consent“[5]. On this specific issue, the position of the French authority is diametrically opposed to the one adopted in its 2013 deliberation[6], even though, and contrary to certain preconceived ideas, the requirements for consent have changed very little since the adoption of European directive 95/46/EC.

The CNIL has drawn up a guide for professionals to help them change their practices in this area, and more generally transform their long-term advertising strategy.

The final version of these recommendations, based on contributions submitted by market players to the regulatory authority (for example, the public statement of the GESTE[7] in which the group of online content editors and service providers opposes to a “Refuse all cookies” button and advocates to exempt certain cookies from obtaining a valid consent) and initially planned for early April 2020, will be issued at a later date due to the current health crisis.

The date of publication of the final version will theoretically constitute the starting point of a six-month period granted to online content editors to comply with such requirements, an unusual timetable which has been validated by the French administrative Supreme Court (“Conseil d’État” [8]) but still is subject to change.

Concerning other Member States, Ireland[9] and Belgium are completely in line with the EDPB and France.

Spain, on the other hand, has taken a more liberal stance, in a guide published in November 2019, stating that consent is not required for certain non-functional cookies, and that access to another section of the website or scrolling down the page may constitute a clear indication of the subject’s wishes to consent to the deposit and collection of cookies on his or her equipment.

III.     A PERSISTENT VAGUENESS AROUND COOKIES IN THE EPRIVACY REGULATION DRAFT

Beyond these two questions, the EDPB has taken an in-depth look at the issue of the processing of cookies by online editors and service providers, as cookies and the contextual advertising which relies thereupon are at the heart of the digital economy. This matter shall be dealt with by the European ePrivacy regulation which has yet to be adopted, after months of negotiations and abortive attempts.

The latest draft of the regulation, issued by the Croatian Presidency on 21 February 2020, laid down in its Article 8 the principle of a ban on the use of cookies on the end-user terminal equipment, with a limited number of exceptions, notably:

o   if the end-user has given his or her consent; or
o   if necessary to the purpose of the legitimate interests pursued by a service provider, except when such interests are overridden by the interests or fundamental rights and freedoms of the end-user and provided that the controller does not share such information with third parties.

Croatia seemed to provide a favorable alternative to consent for market players; recital 21b of the draft, however, strictly limited the use of such legal basis.

While pursuing an existing customer relationship, preventing online fraud, correcting security vulnerabilities or providing a service that safeguards the freedom of expression or information including for journalistic purposes may have been regarded as a legitimate interest, using cookies to determine the nature or characteristics on an end-user or to build an individual profile – common practices in the context of personalized advertising – would have been forbidden.

Although this new draft was a step forward for most industry players, who feared that obtaining the user valid consent for cookies could not be circumvented, it was unlikely to fully allay their fears, as the use of the concept of legitimate interest appeared to be under close supervision; anyhow, it was far from being agreed upon by all Member States. Germany, which runs the European Council during the second half of 2020, will inherit this thorny issue.

[1] The EDPB recalls that the requirements for the validity of consent are applicable to situations falling within the scope of the ePrivacy Directive (2002/58/EC), thus including cookies.
[2] Guidelines 05/2020 of the EDPB on consent
[3] Idem
[4] CNIL deliberation 2019-093 of 4 July 2019
[5] Idem
[6] CNIL deliberation 2013-378 of 5 December 2013
[7] https://www.geste.fr/wp-content/uploads/2020/02/REPONSE-GESTE-_-CNIL-.pdf
[8] https://www.dalloz-actualite.fr/sites/dalloz-actualite.fr/files/resources/2019/10/433069.pdf
[9] Report dated 6 April 2020 (https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Data%20Protection%20Commission%20cookies%20sweep%20REVISED%2015%20April%202020%20v.01.pdf)