Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

General EU Requirements for Cookie Banners – EDPB Task Force Report

January 27, 2023By Preiskel & Co

Background

On 17 January 2023, the European Data Protection Board (the “EDPB”) held its 74th plenary meeting where it adopted a report (the “Report”) on the work done to date by the EDPB Cookie Banner Task Force (the “Task Force”).

The Task Force was established in September 2021 with the aim to coordinate the response to the complaints filed with various EEA Supervisory Authorities by the non-profit organisation “none of your business” (“NYOB”) related to cookie banners.

The Task Force, led by France’s CNIL along with Austria’s data protection authority, focused on promoting and ensuring cooperation, best practices and information sharing between the EEA Supervisory Authorities to ensure that the approach taken in relation to cookie banners is consistent across the EEA.

The Report

The Report confirms that the Supervisory Authorities have agreed on the interpretation of several provisions of the ePrivacy Directive and the GDPR in relation to placement and reading of cookies and their subsequent processing of data collected, including:

  • Reject Buttons (paragraph 8):Most supervisory authorities considered that it would be an infringement of the ePrivacy Directive if a cookie banner does not provide both an accept and a refuse, reject or not consent option. However, some supervisory authorities viewed that this would not infringe the ePrivacy Directive, as article 5(3) does not explicitly requires a “reject option”. Ultimately, the vast majority of supervisory authorities considered the absence of a refuse, reject or not consent option on any layer to be outside the requirements for valid consent, meaning failure to have such an option is an infringement.
  • Pre-Ticked Boxes (paragraph 10): The supervisory authorities confirmed that the use of pre-ticked boxes to opt-in to the placing of cookies does not lead to valid consent under the GDPR or under article 5(3) of the ePrivacy Directive.
  • Banner Design (paragraph 14):The Cookie banner should offer a clear indication of what the banner is about, the purpose of the consent being sought and how to consent to cookies. Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices are misleading and result in an invalid consent from users. The report gives examples of various approaches that do not lead to valid consent, including practices the supervisory authorities consider deceptive, such as:
    • the only alternative action offered besides granting consent consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in the cookie banner, without sufficient visual support to draw the users’ attention to this alternative action;
    • the only alternative action offered besides granting consent consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.
  • Deceptive button colours and deceptive button contrast (paragraph 18): Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices (including the use of button colours and contrast) are misleading and result in an invalid consent from users.
  • Legitimate interest (paragraph 24): The report concludes that to be lawful, the initial storage and access of personal data via cookies must comply with the ePrivacy rules (i.e. consent is required unless the cookie is ‘strictly necessary’). Where a controller fails to comply with article 5(3) of the ePrivacy Directive, (i.e., when valid consent had not been obtained as required) it also resulted in any subsequent processing infringing the GDPR.
  • Inaccurately classified “essential” cookies (paragraphs 28-30): The Taskforce analysed potential tools that can be used to create a list of cookies used by a website owner, along with the responsibility to keep these lists updated, providing them to relevant authorities when requested, and to demonstrating the “essentiality” of the cookies listed. For example, cookies that allow the website owner to remember user preferences (i.e., if consent was obtained) for a service should be considered “essential” cookies.
  • Withdraw Icons (paragraphs 32 and 25):Website operators should establish easily accessible solutions (i.e., small, permanently visible icons or links in a standard location) allowing users to withdraw their consent at any time. However, the supervisory authorities agreed that a case-by-case analysis of the method displayed to withdraw consent will always be necessary. The legal requirement is that withdrawing consent should be as easy as giving consent.

Takeaways

The Report suggests there will be some level of harmonization in how supervisory authorities enforce complaints related to the design of cookie banners.

The Report further clarifies that the interpretations outlined are not requirements of any supervisory authority regarding specific websites, but rather they represent a minimum, common standard which should be read alongside the application of additional national requirements, guidance and laws of each Member State.

Organisations retain some flexibility in how to design a cookie banner, as the Report points out that cookie banners and cookie collection will be mostly evaluated on a case-by-case basis.

Find the EDPB press release here and the report here.

 

Please contact Jose Saras if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Latest Preiskel & Co blog posts
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023

The Preiskel Blog

  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill 17 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F12 hours ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y5 days ago
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets. Find o… https://t.co/S7J7sX3kfs6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy