On 17 January 2023, the European Data Protection Board (the “EDPB”) held its 74th plenary meeting where it adopted a report (the “Report”) on the work done to date by the EDPB Cookie Banner Task Force (the “Task Force”).
The Task Force was established in September 2021 with the aim to coordinate the response to the complaints filed with various EEA Supervisory Authorities by the non-profit organisation “none of your business” (“NYOB”) related to cookie banners.
The Task Force, led by France’s CNIL along with Austria’s data protection authority, focused on promoting and ensuring cooperation, best practices and information sharing between the EEA Supervisory Authorities to ensure that the approach taken in relation to cookie banners is consistent across the EEA.
The Report confirms that the Supervisory Authorities have agreed on the interpretation of several provisions of the ePrivacy Directive and the GDPR in relation to placement and reading of cookies and their subsequent processing of data collected, including:
- Reject Buttons (paragraph 8):Most supervisory authorities considered that it would be an infringement of the ePrivacy Directive if a cookie banner does not provide both an accept and a refuse, reject or not consent option. However, some supervisory authorities viewed that this would not infringe the ePrivacy Directive, as article 5(3) does not explicitly requires a “reject option”. Ultimately, the vast majority of supervisory authorities considered the absence of a refuse, reject or not consent option on any layer to be outside the requirements for valid consent, meaning failure to have such an option is an infringement.
- Pre-Ticked Boxes (paragraph 10): The supervisory authorities confirmed that the use of pre-ticked boxes to opt-in to the placing of cookies does not lead to valid consent under the GDPR or under article 5(3) of the ePrivacy Directive.
- Banner Design (paragraph 14):The Cookie banner should offer a clear indication of what the banner is about, the purpose of the consent being sought and how to consent to cookies. Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices are misleading and result in an invalid consent from users. The report gives examples of various approaches that do not lead to valid consent, including practices the supervisory authorities consider deceptive, such as:
- the only alternative action offered besides granting consent consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in the cookie banner, without sufficient visual support to draw the users’ attention to this alternative action;
- the only alternative action offered besides granting consent consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.
- Deceptive button colours and deceptive button contrast (paragraph 18): Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices (including the use of button colours and contrast) are misleading and result in an invalid consent from users.
- Legitimate interest (paragraph 24): The report concludes that to be lawful, the initial storage and access of personal data via cookies must comply with the ePrivacy rules (i.e. consent is required unless the cookie is ‘strictly necessary’). Where a controller fails to comply with article 5(3) of the ePrivacy Directive, (i.e., when valid consent had not been obtained as required) it also resulted in any subsequent processing infringing the GDPR.
- Inaccurately classified “essential” cookies (paragraphs 28-30): The Taskforce analysed potential tools that can be used to create a list of cookies used by a website owner, along with the responsibility to keep these lists updated, providing them to relevant authorities when requested, and to demonstrating the “essentiality” of the cookies listed. For example, cookies that allow the website owner to remember user preferences (i.e., if consent was obtained) for a service should be considered “essential” cookies.
- Withdraw Icons (paragraphs 32 and 25):Website operators should establish easily accessible solutions (i.e., small, permanently visible icons or links in a standard location) allowing users to withdraw their consent at any time. However, the supervisory authorities agreed that a case-by-case analysis of the method displayed to withdraw consent will always be necessary. The legal requirement is that withdrawing consent should be as easy as giving consent.
The Report suggests there will be some level of harmonization in how supervisory authorities enforce complaints related to the design of cookie banners.
The Report further clarifies that the interpretations outlined are not requirements of any supervisory authority regarding specific websites, but rather they represent a minimum, common standard which should be read alongside the application of additional national requirements, guidance and laws of each Member State.
Organisations retain some flexibility in how to design a cookie banner, as the Report points out that cookie banners and cookie collection will be mostly evaluated on a case-by-case basis.
Please contact Jose Saras if you have any questions regarding the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.