The GDPR is now two years old. But some companies remain noncompliant. Otherwise, why did the European Data Protection Board (EDPB) feel the need to issue a clarification on Monday?
It starts with the use of so-called cookie walls. These occur when a site blocks access to content unless the person agrees to accept cookies.
This is a no-no, for the following reasons. "There is no possibility to access the content without clicking on the 'Accept cookies' button," the EDPB states. “Since the data subject is not presented with a genuine choice, it’s consent is not freely given.”
The EDPB adds that the data subject must be offered "control" and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.
It’s the same with scrolling — the mere fact that one does this does not constitute unambiguous consent.
Actions such as "scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action.”
As TechCrunch notes in a report on the EDPB clarification, consent must be "clear and informed, specific and freely given."
Cookie walls and scrolling were the two major points being clarified. But the EDPB also explores some situations involving email.
For one, a municipality planning disruptive road maintenance offers an email newsletter containing updates for local residents. Consent is valid in this case because citizens who choose to not sign up will not be deprived of a core service or right.
More complex is the case of a retailer asking customers for consent to send the marketing emails and to share their details with other firms within their group.
What’s wrong here? That the consent is not granular — you would need separate consents for each service.
Here’s another situation. An underage person needs permission to sign up for a gaming site. The child offers the parent’s email address so the site can ask for their blessing.
The issue here is that the site must take reasonable steps to make sure that the adult has parental responsibility.
Add it up -- and you cannot extort consent. “If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.”