GDPR Privacy FAQs: Can organizations use “terms and conditions” to gain consent to the deployment of cookies?

November 26, 2019

No.

The English supervisory authority, the ICO, has stated that consent requests must be “clearly distinguishable from other matters” and that bundling consent as part of terms and conditions in impermissible.1 According to the ICO, this requirement is derived from Article 7 of GDPR, which requires that written declarations of consent must be distinguishable.2  Moreover, making such consent a condition of the performance of services offered by the website—for example, requiring agreement to the terms and conditions before a purchase—likely runs afoul of the requirement that a consent be freely given in any event.3

 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf (at p. 11).

2. GDPR, Article 7(2).

3. GDPR, Article 7(4).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.