On 4 May the European Data Protection Board published updated guidance on what constitutes consent under GDPR, in order to clarify the position on the use of “cookie walls”. These are cookie pop-ups that prevent access to content or functionality unless the user “consents” to the use of cookies. This guidance updates the guidelines on consent published by its predecessor, the Article 29 Working Party, in April 2019 prior to GDPR coming into force.

The updated guidance does not change the law or best practice, but it does now unequivocally demonstrate the EDPB’s opinion that cookie walls will not constitute valid consent, as well as further clarifying that “scroll to accept” or “continue browsing to accept” cookie notifications will also not constitute valid consent.

If your website relies on the user “consenting” to having cookies placed on their device that are not strictly necessary (such as cookies put in place by advertisers or those used to gather data for website analytics) through the user continuing to use, scroll, swipe or browse on the website, or if your website does not permit users access to functions or content without the user accepting your cookie policy, now may be the time to rethink your approach to obtaining consent, as you may be using cookies without valid consent and therefore in a manner that is non-compliant with GDPR.

Website users should be “freely” giving “specific, informed and unambiguous” consent. In practice this will often mean a cookie banner that breaks down the cookies used on your website based on their purpose and gives the user the opportunity to decline these cookies in as easy a manner as it is to accept.

This article drafted by Andrew Wilson.