Rafael Garcia del Poyo, Samuel Martinez, and Mario Gras, Partner, Senior Associate, and Associate respectively at Osborne Clark LLP, told OneTrust DataGuidance, “[This] view on the possibility of accepting cookies by means of ‘continue browsing actions’ has already been subject to some criticism since the Guide’s publication, given that it has been considered that it may divert from the opinion given by the Article 29 Working Party Guidelines on Consent under Regulation 2016/679 (last revised and adopted on 10 April 2018) (‘the Consent Guidelines’), endorsed by the European Data Protection Board, and other supervisory authorities such as the Information Commissioner’s Office (‘ICO’) and the French data protection authority (‘CNIL’).”
A consistent read of both interpretations might require enabling a withdrawal mechanism which uses the same means used in the consent-collecting mechanism
Moreover, the Guide adopts a risk-based approach with regards to the protection of minors and advises data controllers to implement measures to assure that consent is given by persons older than 14 years of age. In addition, the Guide provides recommendations for mechanisms to safeguard the rights of minors which are based on cases where either only statistical data is collected, cookies are used for customisation purposes, or profiling cookies for advertising purposes. In particular, these mechanisms can range from warnings by asking for parental consent through a mouse click in the case that only statistical data is collected, to birthday checkboxes which are able to detect wrong inputs and captchas in case cookies are used for customisation purposes, as well as email address confirmations or copies of parental ID cards in case profiling cookies for advertising purposes are at stake.
Garcia del Poyo, Martinez, and Gras continued, “These types of mechanisms are not new in the internet ecosystem, being sometimes insufficient to ensure an adequate level of protection of minors’ rights and freedoms. However, taking into account the available technology and the specifics of the processing carried out, [as outlined by the Guide], it is truly difficult to devise other methods to achieve this purpose, particularly because most of them entail unbearable (and very expensive) burdens on companies and are not user-friendly. Examples of these would be the ‘unassisted video identification’ by means of a software detecting the age of users, or using a ‘single sign on’ from users already properly identified as being of legal age through other services (such as banking institutions).”
Furthermore, the Guide provides a more detailed description of the obligation to provide an option to withdraw consent to cookies, where previously the implementation of the obligation differed between service providers in practice. In this regard, the Guide provides another interpretation of Article 7(3) of the GDPR which outlines that withdrawing consent should be as easy as giving consent.
In this regard, Garcia del Poyo, Martinez, and Gras highlighted, “[Based] on this provision, the AEPD seems to construe that this requirement is being complied with by letting users have a simple and permanent access to the cookie management system, namely the consent management platforms […]. However, it must be noted that the Consent Guidelines already shed light on this by envisaging that ‘[…] when consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily.’ Thus, a consistent read of both interpretations might require enabling a withdrawal mechanism which uses the same means used in the consent-collecting mechanism. In any event, up until the enactment of the Proposed Regulation on Privacy and Electronic Communications (2017/003) (COD)) (‘the Draft ePrivacy Regulation’), the criteria to abide by will need to be those set by the AEPD.”
LEA BUSCH Privacy Analyst