Published in DALLOZ ACTUALITES on May 15, 2020.
Two issues in particular retained the attention of the EDPB, both in relation to the validity of consent, either in the presence of a “cookie wall” or when user keeps browsing/scrolling on a webpage.
Apart from the EDPB (I), some national authorities have already expressed their views on these common but nevertheless contested practices, such as the French regulatory authority, i.e. the CNIL (II), while the e-privacy regulation is still under discussion (III).
I. THE EDPB REAFFIRMS CONSENT REQUIREMENTS FOR COOKIES
Firstly, with regard to “cookie walls”, i.e. banners that prevent users from accessing the desired service unless they give consent to all cookies, including those for advertising purposes, the EDPB states that
“in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user”,
a principle it had already laid out in a “Statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications” published on 25 May 2018.
Thus, making access to a site dependent on clicking on a “Accept Cookies” button shall be prohibited as it does not present any option to the user, who is obliged to click if he or she wishes to keep browsing. It should be recalled in this respect that Article 7.4 of the RGPD ensures that “the purpose of processing personal data shall not be associated (…) with the provision of a contract or service for which such personal data are not necessary“. In other words, making the provision of a service conditional on the collection of data that is not required for such provision is an obstacle to obtaining a valid consent.
Secondly, the EDPB maintains his refusal to consider actions such a scrolling or swiping through a web page as a clear and unambiguous indication of the data subject’s wishes, allowing for the deposit of cookies on his or her terminal equipment, notably because in that case, it would be difficult to allow the user to withdraw consent as easily as it has been granted.
However, the EDPB doctrine, which has now been clarified, remains unchanged and will inevitably force all online editors and content providers, whose business model relies heavily on personalized advertising through the mass use of non-functional cookies, to renew their practices, failing which they shall expose themselves to severe financial penalties. Consequently, a reconsideration of the gratuity of online services currently financed by targeted advertising revenues (social networks, email services, etc.) seems inevitable in the medium term.
II. CONFLICTING POSITIONS AMONG THE MEMBER STATES
Regarding the two above mentioned, the analyses of the CNIL and the EDPB are strictly identical:
o on the one hand, “the practice of blocking access to a website or mobile application for those who do not consent to be tracked (“cookie walls”) does not comply with the GDPR“; and
o on the other hand, “browsing or scrolling through a website or mobile application does not constitute a positive action that can regarded as valid consent“. On this specific issue, the position of the French authority is diametrically opposed to the one adopted in its 2013 deliberation, even though, and contrary to certain preconceived ideas, the requirements for consent have changed very little since the adoption of European directive 95/46/EC.
The CNIL has drawn up a guide for professionals to help them change their practices in this area, and more generally transform their long-term advertising strategy.
The final version of these recommendations, based on contributions submitted by market players to the regulatory authority (for example, the public statement of the GESTE in which the group of online content editors and service providers opposes to a “Refuse all cookies” button and advocates to exempt certain cookies from obtaining a valid consent) and initially planned for early April 2020, will be issued at a later date due to the current health crisis.
The date of publication of the final version will theoretically constitute the starting point of a six-month period granted to online content editors to comply with such requirements, an unusual timetable which has been validated by the French administrative Supreme Court (“Conseil d’État” ) but still is subject to change.
Concerning other Member States, Ireland and Belgium are completely in line with the EDPB and France.
Spain, on the other hand, has taken a more liberal stance, in a guide published in November 2019, stating that consent is not required for certain non-functional cookies, and that access to another section of the website or scrolling down the page may constitute a clear indication of the subject’s wishes to consent to the deposit and collection of cookies on his or her equipment.
III. A PERSISTENT VAGUENESS AROUND COOKIES IN THE EPRIVACY REGULATION DRAFT
Beyond these two questions, the EDPB has taken an in-depth look at the issue of the processing of cookies by online editors and service providers, as cookies and the contextual advertising which relies thereupon are at the heart of the digital economy. This matter shall be dealt with by the European ePrivacy regulation which has yet to be adopted, after months of negotiations and abortive attempts.
o if the end-user has given his or her consent; or
o if necessary to the purpose of the legitimate interests pursued by a service provider, except when such interests are overridden by the interests or fundamental rights and freedoms of the end-user and provided that the controller does not share such information with third parties.
Croatia seemed to provide a favorable alternative to consent for market players; recital 21b of the draft, however, strictly limited the use of such legal basis.
While pursuing an existing customer relationship, preventing online fraud, correcting security vulnerabilities or providing a service that safeguards the freedom of expression or information including for journalistic purposes may have been regarded as a legitimate interest, using cookies to determine the nature or characteristics on an end-user or to build an individual profile – common practices in the context of personalized advertising – would have been forbidden.
Although this new draft was a step forward for most industry players, who feared that obtaining the user valid consent for cookies could not be circumvented, it was unlikely to fully allay their fears, as the use of the concept of legitimate interest appeared to be under close supervision; anyhow, it was far from being agreed upon by all Member States. Germany, which runs the European Council during the second half of 2020, will inherit this thorny issue. The EDPB recalls that the requirements for the validity of consent are applicable to situations falling within the scope of the ePrivacy Directive (2002/58/EC), thus including cookies.
 Guidelines 05/2020 of the EDPB on consent
 CNIL deliberation 2019-093 of 4 July 2019
 CNIL deliberation 2013-378 of 5 December 2013
 Report dated 6 April 2020 (https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Data%20Protection%20Commission%20cookies%20sweep%20REVISED%2015%20April%202020%20v.01.pdf)
- The European data protection board clarifies its position in a new set of guidelines - May 18, 2020
- Contact tracing application: “an individual choice pledge of collective responsibility” - April 25, 2020
- #COVID-19 : No state of emergency for data protection ! - March 26, 2020
- Brief n°2 – The controls of the French supervisory authority in 2019: enforcing the rights of the data subject - June 3, 2019
- CNIL investigations in 2019 : the sharing of responsibilities between controller and processor - May 3, 2019