Guidelines 08/2020 on the targeting of social media users – version for public consultation
Subparagraph 5.3.2 B Legal basis
65 First of all, because Examples 4, 5 and 6 in Section 5.3 involve the use of cookies, requirements resulting from Article 5 (3) of the ePrivacy Directive need to be taken into account.
66 In this regard, it should be noted that Article 5 (3) of the ePrivacy Directive requires that users are provided with clear and comprehensive information, inter alia about the purposes of the processing, prior to giving their consent, subject to very narrow exceptions. Clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. As a result, the controller will have to inform data subjects about all the relevant purposes of the processing – including any subsequent processing of the personal data obtained by accessing information in the terminal equipment.
67 To be valid, the consent collected for the implementation of tracking technologies needs to fulfil the conditions laid out in Article 7 GDPR. For instance, consent is not validly constituted if the use of cookies is permitted by way of a checkbox pre-ticked by the service provider, which the user must deselect to refuse his or her consent. Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
68 Any (joint) controller seeking to rely on consent as a legal basis is responsible for ensuring valid consentis obtained. In Fashion ID, the CJEU emphasized the importance of ensuring the efficient and timely protection of the data subject rights, and that consent should not be given only to the joint controller that is involved later in the processing. Valid consent must be obtained prior to the processing, which implies that (joint) controllers need to assess when and how information should be provided and consent should be obtained. In other words, the question as to which of the joint controllers should be in charge of collecting the consent comes down to determining which of them is involved first with the data subject. In example 6, as the placement of cookies and processing of personal data occurs at the moment of account creation, the social media provider must collect her valid consent before the placement of advertisement cookies.
69 The EDPB also recalls that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely onthe original consent, these organisations should all be named. Insofar as not all joint controllers are known at the moment when the social media provider seeks the consent, the latter will necessarily need to be complemented by further information and consent collected by the website operator embedding the social media plugin (i.e. Thelatesthotnews.com in Example 6).
70 The EDPB emphasizes that the consent that should be collected by the website operator for the transmission of personal data triggered by its website (by embedding a social plug-in) relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means. The collection of consent by a website operator, i.e. “Thelatesthotnews.com” in Example 6 for instance, does not negate or in any way diminish the obligation of the social media provider to ensure the data subject has provided a valid consent for the processing for which it is responsible as a joint controller, as well as for any subsequent or further processing it carries out for which the website operator does not jointly determine the purposes and means (e.g. subsequent profiling operations for targeting purposes).
71 In addition, any subsequent processing of personal data, including personal data obtained by cookies, social plug-ins or pixels, must also have a legal basis under Article 6 of the GDPR in order to be lawful. For what concerns the legal basis of the processing in Examples 4, 5, and 6, the EDPB considers that legitimate interest cannot act as an appropriate legal basis, as the targeting relies on the monitoring of individuals’ behavior across websites and locations using tracking technologies.
72 Therefore, in such circumstances, the appropriate legal basis for any subsequent processing under Article 6 GDPR is also likely to be the consent of the data subject. Indeed, when assessing compliance with Article 6 GDPR, one should take into account that the processing as a whole involves specific activities for which the EU legislature has sought to provide additional protection. Moreover,controllers must take into account the impact on data subjects’ rights when identifying the appropriate legal basis in order to respect the principle of fairness.