European Data Protection Board Backs Ban On “Cookie Walls”

Elizabeth Adler, George Crawford, Claudia Hrvatin, Robert Keenan III, Bailey Langner, Kim Roberts, Kyle Sheahen
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

The European Data Protection Board (“EDPB”), established under the General Data Protection Regulation (“GDPR”), said in a statement that the use of so-called “cookie walls” should be prohibited under the proposed EU e-Privacy Regulation.

The EDPB is made up of representatives of national data protection authorities across the EU and the European data protection supervisor. The body replaced the Article 29 Working Party, which previously provided opinions and guidance on matters relating to EU data protection and e-Privacy laws.

The proposed new e-Privacy Regulation, proposed by the European Commission in January 2017, has yet to be finalised by EU law makers. The proposed new e-Privacy Regulation envisages a similar future supervisory role for the EDPB as is set out under GDPR.

Relevant to the use of cookie walls, the EDPB’s statement says that website and mobile app operators should be barred from requiring consumers to agree to the collection and use of their personal data in return for gaining access to their services. The EDPB says that permitting the use of cookie walls would be contrary to the requirements under GDPR, which has clear rules around obtaining consent and the form that consent must take. The EDPB said “In order for consent to be freely given as required by GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.”

The statement from the EDPB clearly demonstrates that compliance with the consent requirements under GDPR puts extensive obligations on all service providers. The consequence of this statement is that service providers (whether website operators or app providers) will need to obtain users’ consent to access services and functionalities, employing whatever technical tools are required to obtain it.

In its statement, the EDPB also backed plans outlined by the elected members of the European Parliament to require privacy options to be turned on by default within software settings, and for software providers to offer “a technical solution for websites to obtain a valid consent.”

“[The new e-Privacy rules] should explicitly apply to operating systems of smartphones, tablets, or any other ‘user agent’, in order to ensure that communications applications can take into account the choices of their users, no matter what technical means are involved,” the EDPB said. It went on to say, “[m]oreover, privacy settings should facilitate expressing and withdrawing consent in an easy, binding and enforceable manner against all parties, and users should be offered a clear choice upon installation, allowing them to give their consent if they wish to do so. Additionally, web site and mobile applications should be able to obtain a GDPR compliant consent through privacy settings.”

The e-Privacy Regulation remains in draft form. It is currently unknown when it will become law.

Reporter, Kim Roberts, London, +44 20 7551 2133, kroberts@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide