As of May 2020, one GDPR rule is now crystal clear: A user scrolling through a page or passage does not constitute valid consent for purposes of the GDPR.

Here's exactly what you need to know about how the rules were clarified, and what you need to do now to get consent.


Why the GDPR Matters

Since 2018, the GDPR has had legal force across the European Union. Its effects can be felt beyond Europe because the rules don't only apply to websites based in the EU. They also apply if:

  • The website indicates it serves customers in the EU
  • The website processes data about somebody in the EU
  • The data processing physically takes place in the EU

The GDPR sets out legal requirements for processing personal data. This means collecting, using or disclosing information that relates to an identifiable individual. Most cookies are included in this category and it doesn't matter that the cookie is stored on the user's computer.

Breaching the GDPR can lead to administrative fines which could theoretically reach €20 million or four percent of global turnover, whichever is higher. At the time of writing, nearly 40 fines exceeding €100,000 had been issued.

Under the GDPR, it's only lawful to process personal data if one of six legal bases apply. The first of these, and the one that websites most often rely on, is that "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."

Article 7 of the GDPR sets down several conditions for such consent to be valid including:

  • The data controller has to prove the data subject gave consent
  • Any request for consent must be "in an intelligible and easily accessible form, using clear and plain language"
  • The data subject has the right to withdraw consent at any time. Doing so must be as easy as giving consent.

Recital 32 of the GDPR clarifies that consent must involve:

"...a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement."

Some examples include ticking a box on a website, changing settings, making a clear statement, or some other active action. The GDPR specifically rules out "silence, pre-ticked boxes or inactivity" as valid forms of consent.

Scrolling as Consent

Even in 2019, a year after the GDPR took legal effect, many website operators were still uncertain about what did and did not constitute valid consent.

Some automated tools for managing consent had an option to record whether a user had scrolled through a particular page or passage and, if so, record this as the user actively consenting to data processing.

This prompted debate about whether such consent was valid. The argument in favor of this method appears to have largely been based around (translated) guidance from CNIL, the independent data authority responsible for data protection issues in France.

The passage cited by defenders of the practice reads (translated):

"Insofar as the consent must not be ambiguous, this banner must not disappear until the person has continued his navigation, that is to say until he has not gone to another page of the site or did not click on an element of the site (image, link, "search" button)."

Critics of such a defense made two counter-arguments. The first was that something had been lost in translation and that CNIL was not saying that scrolling to the end of a banner constituted giving consent. Instead, the user would have to continue actively navigating the site for this to be the case.

The second argument was that CNIL's interpretation was not shared by regulators in other countries (some had even specifically ruled out "scroll to consent") and thus it couldn't be relied on across the EU.

Settling the Issue

While individual data protection authorities oversee the GDPR's implementation in specific European Union countries, a transnational body called the European Data Protection Board (EDPB) is in charge of sorting out any ambiguities or disputes in interpretation. The idea is to make sure rules broadly apply the same way in all countries, making it easier for businesses to operate and compete across the EU.

In May 2020 the EDPB updated its guidance to cover scrolling, saying it had "noticed that there was a need for further clarifications."

The updated guidance read:

"...actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it."

The Rationale

Scrolling is an inadequate form of inferring consent for three reasons, two of which are specified in the updated guidance and one of which is inherent:

  • The website operator does not have enough certainty that the user intended to indicate consent. They may have scrolled down to read more information or in the hope of finding a link to a privacy settings menu.
  • Users have the right to withdraw consent as easily as possible and, where practical, in the same manner in which they gave it. For example, a privacy settings menu toggle can be switched on or off. Websites which rely on "scroll to consent" don't offer an equivalent way to withdraw consent such as scrolling back up a page. Even if they did, it would likely be very unintuitive for the user.
  • In many "scroll to consent" cases, the text the user was scrolling down was a Privacy Policy, details of cookie use, or similar information. By definition, it would be difficult or impossible to read all of this information without completing the scrolling action that was inferred as consent. In turn, the user inherently wouldn't have had the opportunity to make an informed, and thus meaningful, decision to consent to data processing.

Remember that while some elements of the GDPR may still rely partly on interpretation, the rules on "scroll to consent" are now absolutely certain. The guidance stresses that scrolling is not valid consent "under any circumstances."

Getting Consent the Right Way

Website operators have a range of options to get consent, though several are not adequate for GDPR compliance. Remember that you need to do two things:

  • Give the user the information they need to make a meaningful decision to consent. This will most commonly be a dedicated Privacy Policy and should cover:

    • What data you collect or process
    • Why you need it
    • How you'll use it
    • Whether and to whom you'll disclose it
    • How long you'll keep it
  • Request and collect the consent, making sure the user has a reasonable opportunity to read the Privacy Policy first

Let's look at this more.

Invalid Methods

Browsewrap

Browsewrap involves inferring consent from a user's action such as continuing to use the site.

At worst, this simply means putting a Privacy Policy somewhere on the site that says using the site constitutes consent. At best, this means a clear message such as a pop-up banner that appears when the user first visits any page of the site.

Either way, browsewrap is not adequate. It does not constitute a clear signal of consent as there's no way to distinguish between somebody who is happy to consent to data processing and somebody who simply carried on browsing (intentionally or accidentally) without reading the warning.

This example from Insomniac is browsewrap. It's lawful because the site is expressly aimed at users in the United States and thus shouldn't come under the jurisdiction of the GDPR. But it's still not a recommended practice in general these days:

Insomniac Terms of Use: Introduction clause with browsewrap

Clickwrap

Clickwrap goes a step beyond browsewrap by specifically requiring the user to take a positive action (such as clicking an 'I Agree' button) to consent to data processing. This still has some potential inadequacies:

  • Some forms of clickwrap don't give a way to clearly indicate that the user chooses to withhold consent
  • It's not always easy or obvious how the user can withdraw consent given through clickwrap

A clickwrap request given when the user first visits a site will often try to cover all data processing. The GDPR requires specific consent for each purpose for which you gather data.

For example, a movie theater site collecting and storing somebody's date of birth to send them special offers on their birthday is a different purpose to the site issuing a cookie with the user's postcode or ZIP code so that they automatically get local listings. The site will need separate consent for the two purposes.

Requiring Opting Out/Default Opt-Ins

Any form of consent management that requires the user to actively opt out is invalid. This includes an opt-out setting in a dashboard, an opt-out button, or the user sending an email.

These may be valid ways to withdraw consent later on, but the GDPR works from the starting point that consent doesn't exist by default and instead the user must actively grant it.

GDPR Consent Best Practices

Websites can use a variety of methods to request and collect consent, including requiring or allowing users to do the following:

  • Ticking an opt-in box
  • Clicking a button or link
  • Changing settings in a dashboard
  • Providing consent outside of the website, for example in an email or paper document

Whichever method you use, you should follow some key principles.

Specific and Timely

It's most effective to ask for consent when, or immediately before, you want to collect personal data for processing.

This could be when the user first visits the site (if you are using cookies), when they are about to complete a form which includes personal data, or when they are about to sign up to an email newsletter (because their email address constitutes personal data).

BuzzFeed's newsletter sign-up page is designed so that users read the request for consent immediately before selecting their newsletters:

BuzzFeed Newsletter sign-up form

No Pre-Ticked Boxes

You must not use forms that have consent boxes ticked by default or sliders set to "On."

Even if a user has to click a confirmation button, this set-up doesn't offer enough certainty that they intentionally gave consent rather than clicking the button accidentally or not noticing the settings.

IKEA sets non-essential cookies off by default. They can only be issued once the user has actively changed a slider and clicked a confirmation button:

IKEA Privacy preference Centre: Performance Cookies toggle button highlighted

Equal Prominence For Options

When you present a user with consent options, avoid giving undue prominence to the option to give consent (or "Agree") to data processing. This could involve:

  • Making the Agree button bigger
  • Using a clearer or more prominent typeface
  • Using a clearer or more eye-catching color scheme
  • Using a button for "Agree" and a text link for the withholding option
  • Using language designed to influence the decisions such as "Agree and get our great newsletter" vs "Refuse and miss out"

The NHS gives two clearly labelled choices with equal prominence:

NHS Cookies Declaration with consent buttons highlighted

When designing your website's consent mechanism, take into account the user's right to withdraw consent later on. Remember that the lack of ability to withdraw consent is one of the reasons that "scroll to consent" was ruled invalid.

At the very least, this needs to be as simple a process as possible and the user should know exactly how they can withdraw consent. Ideally, the act of withdrawing consent should be as similar as possible to the way they originally granted consent.

One way to do this is to have a privacy dashboard where users can switch sliders or toggles, or check/uncheck boxes relating to specific types of data processing.

Google covers multiple aspects of consent to data processing on a dedicated account page:

Google Account Data and Personalization: Activity Controls options highlighted


Summary

Let's recap what you need to know about scrolling and consent.

  • When the GDPR applies, you can only process personal data in specific circumstances, most notably that the user has consented.
  • You must request the consent in a clear manner. The consent is only valid if the user takes a clear action to indicate specific consent to specific processing, and they make a genuine free choice to do so.
  • Some website operators believed a user scrolling through a document such as a Privacy Policy or request for consent counted as a clear action of giving consent. This belief may partially have been based on a mistranslation of guidance.
  • In May 2020, the European Data Protection Board, which coordinates national data protection authorities, updated its guidance on the GDPR. It made clear that scrolling was not an adequate form of consent "under any circumstances."
  • Scrolling is inadequate for three main reasons:

    • The website operator can't be certain that the user meant to consent
    • The user has no easy way to withdraw consent "granted" by scrolling
    • The user may not have the information needed to make a meaningful decision until after they've scrolled through the text
  • Acceptable methods of gathering consent can include opt-in boxes, buttons, links and dashboard settings. Whichever method you use, make sure:

    • The consent is specific to particular data processing
    • Where possible, you request consent when or immediately before you collect the relevant data
    • You don't use pre-ticked boxes or any other method where granting consent is a default option
    • You give equal prominence to consent options, particularly granting versus withholding consent
    • You provide a clear and easy way to withdraw consent at any time