The European Data Protection Board issues guidance on consent, in reliance upon the Working Party Article 29 Guidelines on Consent.

Key additions/ takeaways.
  • Consent relying on an alternative option offered by a third party fails to comply with the GDPR.
  • A service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.
  • In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls do not constitute valid consent).
  • Actions such as scrolling or swiping through a web page or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action, because such actions may be difficult to distinguish from other activity or interaction by a user and thus the requirement of “unambiguous” is not satisfied. In such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.

Read the guidelines.