COMPLY.ORG

An open debate on ePrivacy and GDPR compliance

Legal grounds

Legal texts

EU ePrivacy/ UK PECR on cookies and similar tracking devices

UK's implementation of article 5.3 of the ePrivacy Directive 2002, as amended in 2009: Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003/2011

  1. Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
  2. The requirements are that the subscriber or user of that terminal equipment:
    1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
    2. has given his or her consent
  3. Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

  1. Paragraph (1) shall not apply to the technical storage of, or access to, information:
    1. for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
    2. where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

GDPR on the definition and requirements of consent after May 25th 2018

Article 4.11

'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 7

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Recital 32

  • Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
  • This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
  • Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
  • Consent should cover all processing activities carried out for the same purpose or purposes.
  • When the processing has multiple purposes, consent should be given for all of them.
  • If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Official guidelines

European Data Protection Board's Guidelines on Consent - as last revised and adopted on 10 April 2018 (excerpts)

On requirements for freely given consent:

Granularity

[...] If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom.

Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid. In this case, a specific consent should be collected to send the contact details to commercial partners. Such specific consent will be deemed valid for each partner, whose identity has been provided to the data subject at the time of the collection of his or her consent, insofar as it is sent to them for the same purpose (in this example: a marketing purpose).

No detriment

[...] If a controller is able to show that a service includes the possibility to withdraw consent without any negative consequences e.g. without the performance of the service being downgraded to the detriment of the user, this may serve to show that the consent was given freely.

When downloading a lifestyle mobile app, the app asks for consent to access the phone's accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users' movements collected this way).

On informed consent

[...] To accommodate for small screens or situations with restricted room for information, a layered way of presenting information can be considered, where appropriate, to avoid excessive disturbance of user experience or product design.

On consent as an unambiguous indication of wishes

The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.

[...] Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data. The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes').

[...] However, within the requirements of the GDPR, controllers have the liberty to develop a consent flow that suits their organisation. In this regard, physical motions can be qualified as a clear affirmative action in compliance with the GDPR.

[...] Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.

Swiping a bar on a screen, waving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g. if you swipe this bar to the left, you agree to the use of information X for purpose Y. Repeat the motion to confirm). The controller must be able to demonstrate that consent was obtained this way and data subjects must be able to withdraw consent as easily as it was given.

Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.

[...] In any event, consent must always be obtained before the controller starts processing personal data for which consent is needed. WP29 has consistently held in previous opinions that consent should be given prior to the processing activity. Although the GDPR does not literally prescribe in Article 4(11) that consent must be given prior to the processing activity, this is clearly implied. The heading of Article 6(1) and the wording "has given" in Article 6(1)(a) support this interpretation.

[Full text of the EDPB's Guidelines on Consent under Regulation 2016/679 (wp259rev.01)]

CNIL's* conditions for the usage of cookies for website audience measurement purposes without obtaining consent

To be exempt from the collection of consent, audience measurement tools must meet the following conditions:

  • The publisher of the site must provide clear and complete information;
  • An opposition mechanism must be accessible simply and must be usable on all browsers, and all types of terminals (including smartphones and tablets).
  • The data collected must not be cross-checked with other treatments (customer files or statistics of other sites for example).
  • The deposited cookie must only be used for the production of anonymous statistics;
  • The cookie must not make it possible to follow the navigation of the individual on other sites.
  • The IP address used to geotag the user must not be more accurate than the scale of the city. In concrete terms, the last two octets of the IP address must be deleted.
  • Cookies allowing traceability of Internet users and IP addresses must not be kept beyond 13 months from the first visit;
  • The raw audience data associated to a unique identifier must also not be kept for more than 13 months.

*French Supervisory Authority (Commission nationale de l'informatique et des libertés) Original text: https://www.cnil.fr/fr/solutions-pour-les-cookies-de-mesure-daudience