On Focus

Author: Andrea D'Addazio

Personal Data Protection


European Data Protection Board updates guidelines on consent 

On 4 May 2020, the European Data Protection Board (“EDPB”) issued the “Guidelines 05/2020 on consent under Regulation 2016/679” (“Guidelines”) by updating the previous guidelines which had been adopted by the former “Article 29 Working Party” in April 2018. 

Such update provides significant clarifications about the conditionality of consent (see paragraph 3.1.2 of the Guideline) and the unambiguous indication of wishes (see paragraph 3.4. of the Guidelines).


The Guidelines focus on the provision of consent in a digital context, with a particular attention to the interaction of data subjects with so-called “cookie walls” – i.e. pop-up notice on websites or mobile apps subjecting access for users to provision of consent for cookies and/or access to terminal storage etc. –  and the definition of unambiguous expression of consent (particularly in relation to “scrolling”).


First of all, it shall be recalled that in accordance with the GDPR (art. 4,11; Recital 32) the consent of the data subject must be: 

  1. freely given, 
  2. specific, 
  3. informed,
  4. an unambiguous indication of wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;


Dealing with conditionality, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user.

This is specified at Example 6A: « A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given ». 

The example states clearly the invalidity of consent obtained with cookie walls, because it cannot be considered as freely given, since data subjects must opt for consent without being compelled under denial of access to services.


Likewise, scrolling through a webpage or clicking “I accept” on a pre-ticked opt-in box is not a valid provision of consent. To this end, the Guidelines remind that GDPR requires a “clear affirmative act”, which is not mere silence or inactivity on the part of the data subject, as well as merely proceeding with activity, since it cannot be regarded as an active indication of choice. The Guidelines clarify that «[such] actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible».

Furthermore, the EDPD highlights that in such a case it is difficult to provide a way for the data subject to withdraw consent in a manner that is as easy as it is provided.


In this context, the EDPB has embedded the law principle established by ECJ in case Planet49 (c-673/17), according to which the concept of “valid consent” under article 4 of GDPR, the consent must result in an "unequivocal" – i.e. active – expression of will of the user, by which the data subject gives consent to the processing of personal data. The ECJ took a literal interpretation of the term “given his or her consent” as in art. 6 par. 1 lett. a of GDPR, finding that consent must derive from an active rather than passive behaviour.

In the ECJ judgment (likewise in the Guidelines), such definition of consent also applies for the purposes of the Directive 2002/58/EC (ePrivacy Directive). Therefore, consent to the use/installation of cookies by means of a pre-selected checkbox (to be unselected in order to deny user’s consent – so called “opt-out”) cannot be considered validly expressed. 


To sum up, any website which processes personal data with optional cookies shall grant that:

  • users are provided with a genuine choice to accept or to decline the use of cookies and are not prevented from accessing the website if they decline the use of cookies;
  • cookies are not installed until the users have genuinely provided their consent by accepting actively the use of cookies and setting autonomously their preferences.