When it comes to website privacy compliance, cookies have consistently presented the most fraught issues for U.S. businesses. This is especially true for those businesses that find themselves in a sometimes new or often uncertain relationship with the EU or UK GDPR. Do I need a cookie banner? Where does it go? How big does it have to be? Will a privacy policy alone do? Can't users just be directed to the appropriate place to disable their browser's cookie collection? Why does this even matter?
The European Data Protection Board (EDPB)-an independent EU body that, among other things, provides guidance on EU data protection laws-recently issued and adopted a report on from its "Cookie Banner Task Force," created in September 2021. The report (which responds to several complaints from the Max Schrems non-profit outfit, NOYB [None of Your Business]), essentially amounts to a list of "don'ts" when it comes to cookie banners. Focusing on the application of the ePrivacy Directive and the GDPR, the report makes clear that cookie banners must be clear, they must provide an opportunity for meaningful consent (and withdrawal of consent), and they cannot be deceptive.
So what are the don'ts? The report criticizes eight different kinds of practices:
DON'T . . .
- . . . fail to include a "reject" button. The EDPB notes that banners will sometimes only display "consent" buttons with further options, without displaying the "reject" button, or might otherwise bury the rejection option in a nest of links.
- . . . use links, instead of reject buttons. The option to reject should be immediately and prominently displayed. "The members agreed that for the consent to be valid, the user should be able to understand what they consent to and how to do so."
- . . . use pre-ticked consent boxes. "The taskforce members confirmed that pre-ticked boxes to opt-in do not lead to valid consent . . ."
- . . . use deceptive button colors or deceptive button contrast. "[T]he configuration of some cookie banners in terms of colours and contrasts of the buttons . . . could lead to a clear highlight of the 'accept all' button over the available options."
- . . . inaccurately label cookies as "essential." "Essential" or "strictly necessary" cookies are those that are needed to make the website function. There are other kinds of cookies, but only "essential" cookies do not require specific consent. The taskforce noted that some entities made the "essential" cookie category broader than appropriate.
- . . . rely on "legitimate interests" in processing cookies. The GDPR only allows for the processing of user data if it is lawful. The taskforce determined that if the collection of cookies was illegitimate, the entity could not then rely on "legitimate interests" as a basis to process the information collected. In other words-it's consent all the way down.
- . . . fail to provide a "withdrawal" icon. "Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place."
No doubt, this clarification on prohibited banner uses may be unwelcome news to entities that have engaged in one or more of the above practices. But increased enforcement, as well as country specific guidance, make it clear that EU member states-and individuals protective of their privacy right-are being more vigilant about personal data collection through cookies, and how organizations are communicating with users. Time to update your banners!
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
