European Union: General EU Requirements For Cookie Banners – EDPB Task Force Report

Background

On 17 January 2023, the European Data Protection Board (the "EDPB") held its 74^th plenary meeting where it adopted a report (the "Report") on the work done to date by the EDPB Cookie Banner Task Force (the "Task Force").

The Task Force was established in September 2021 with the aim to coordinate the response to the complaints filed with various EEA Supervisory Authorities by the non-profit organisation "none of your business" ("NYOB") related to cookie banners.

The Task Force, led by France's CNIL along with Austria's data protection authority, focused on promoting and ensuring cooperation, best practices and information sharing between the EEA Supervisory Authorities to ensure that the approach taken in relation to cookie banners is consistent across the EEA.

The Report

The Report confirms that the Supervisory Authorities have agreed on the interpretation of several provisions of the ePrivacy Directive and the GDPR in relation to placement and reading of cookies and their subsequent processing of data collected, including:

• Reject Buttons (paragraph 8):Most supervisory authorities considered that it would be an infringement of the ePrivacy Directive if a cookie banner does not provide both an accept and a refuse, reject or not consent option. However, some supervisory authorities viewed that this would not infringe the ePrivacy Directive, as article 5(3) does not explicitly requires a "reject option". Ultimately, the vast majority of supervisory authorities considered the absence of a refuse, reject or not consent option on any layer to be outside the requirements for valid consent, meaning failure to have such an option is an infringement.
• Pre-Ticked Boxes (paragraph 10): The supervisory authorities confirmed that the use of pre-ticked boxes to opt-in to the placing of cookies does not lead to valid consent under the GDPR or under article 5(3) of the ePrivacy Directive.
• Banner Design (paragraph 14):The Cookie banner should offer a clear indication of what the banner is about, the purpose of the consent being sought and how to consent to cookies. Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices are misleading and result in an invalid consent from users. The report gives examples of various approaches that do not lead to valid consent, including practices the supervisory authorities consider deceptive, such as:
• • the only alternative action offered besides granting consent consists of a link behind wording such as 'refuse' or 'continue without accepting' embedded in the cookie banner, without sufficient visual support to draw the users' attention to this alternative action;
  • the only alternative action offered besides granting consent consists of a link behind wording such as 'refuse' or 'continue without accepting' placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users' attention to this alternative action outside the frame.
• Deceptive button colours and deceptive button contrast (paragraph 18): Each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices (including the use of button colours and contrast) are misleading and result in an invalid consent from users.
• Legitimate interest (paragraph 24): The report concludes that to be lawful, the initial storage and access of personal data via cookies must comply with the ePrivacy rules (i.e. consent is required unless the cookie is 'strictly necessary'). Where a controller fails to comply with article 5(3) of the ePrivacy Directive, (i.e., when valid consent had not been obtained as required) it also resulted in any subsequent processing infringing the GDPR.
• Inaccurately classified "essential" cookies (paragraphs 28-30): The Taskforce analysed potential tools that can be used to create a list of cookies used by a website owner, along with the responsibility to keep these lists updated, providing them to relevant authorities when requested, and to demonstrating the "essentiality" of the cookies listed. For example, cookies that allow the website owner to remember user preferences (i.e., if consent was obtained) for a service should be considered "essential" cookies.
• Withdraw Icons (paragraphs 32 and 25):Website operators should establish easily accessible solutions (i.e., small, permanently visible icons or links in a standard location) allowing users to withdraw their consent at any time. However, the supervisory authorities agreed that a case-by-case analysis of the method displayed to withdraw consent will always be necessary. The legal requirement is that withdrawing consent should be as easy as giving consent.

Takeaways

The Report suggests there will be some level of harmonization in how supervisory authorities enforce complaints related to the design of cookie banners.

The Report further clarifies that the interpretations outlined are not requirements of any supervisory authority regarding specific websites, but rather they represent a minimum, common standard which should be read alongside the application of additional national requirements, guidance and laws of each Member State.

Organisations retain some flexibility in how to design a cookie banner, as the Report points out that cookie banners and cookie collection will be mostly evaluated on a case-by-case basis.

Find the EDPB press release here and the report here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.