The EDPB Cookie Banner Taskforce has published a Report, which provides guidance on how to comply with the cookie rules in the ePrivacy Directive 2002/58/EC. It discusses topical issues such as the absence of reject buttons, pre-ticked boxes, misleading banner design, and withdrawal of consent solutions.
The EDPB notes in a "disclaimer" to the Report, that the positions taken by the Taskforce reflect the common denominator agreed by Supervisory Authorities in their interpretation of the applicable provisions of the ePrivacy Directive 2002/58/EC, as amended, and the GDPR when handling cookie banner complaints received from NYOB. The positions taken do not constitute stand-alone recommendations or findings to obtain a greenlight from a competent supervisory authority, rather they should be read in conjunction with national laws transposing the ePrivacy Directive.
In this article we look at the key highlights of the Report.
In September 2021, the EDPB set up the Cookie Banner Taskforce to coordinate the response to complaints concerning the design of cookie banners made to multiple data protection supervisory authorities by the privacy advocacy group, NOYB. The aim of the Taskforce was to promote cooperation, information sharing and best practices.
Applicable Legal Framework – ePrivacy Directive and GDPR
The Taskforce note that the applicable legal framework for the placement of cookies is only the national law of each Member State which transposes Article 5(3) of the ePrivacy Directive, and reminds us that the GDPR's one-stop-shop mechanism does not apply in relation to cookies. However, the ePrivacy Directive's reference to consent includes reference to the definition of consent under Article 4 of the GDPR, and the conditions for consent set out in Article 7 GDPR. The GDPR will apply to any subsequent processing of data which takes place after storing or gaining access to information on a user’s device.
Key Highlights of Report – Designing Cookie Banners
Following a coordinated review of cookie banners which were the subject of complaints to multiple supervisory authorities by NYOB, the Taskforce provided commentary on a variety of violations, as summarised below.
- No "reject" button on first layer: The majority of supervisory authorities consider that a cookie banner should contain a refuse/reject option alongside an accept option. They consider the absence of a reject option is not in line with the requirements for valid consent, and is an infringement of the ePrivacy Directive.
- Pre-ticked Boxes: The Taskforce confirmed that pre-ticked boxes are not a valid way to obtain consent under Article 5(3) of the ePrivacy Directive.
- Link Design: The Taskforce considered deceptive “Link Design” practices, noting that some cookie banners contain a link, not a button, as an option to reject the placement of cookies. The Taskforce agreed on two non-exhaustive examples that do not lead to valid consent:
- the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action;
- the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.
- "Deceptive Button Colours" and "Deceptive Button Contrast": The Taskforce agreed that the design of cookie banners, in terms of colour and contrast of the buttons, can mislead users and result in an unintended, and thus invalid, consent. For example, cookie banners often highlight the “accept all” button over other available options. Whilst this design choice is considered problematic, the Taskforce noted that each specific cookie banner needs to be assessed on a case-by-case basis to assess whether it is misleading.
- Legitimate interests insufficient legal basis: The Taskforce confirm that the legal basis for the placement of cookies pursuant to Article 5(3) cannot be the legitimate interests of the controller.
- Inaccurately classified essential cookies: The Taskforce recognises that the assessment of cookies to determine which ones are 'essential' raises practical difficulties. The Taskforce recalls that the Article 29 Working Party Opinion 4/2012 includes criteria to assess which cookies are essential, and the fact that cookies allowing website owners to retain the preferences expressed by users, regarding a service, should be deemed essential.
Website operators should review their cookie banners to ensure there is nothing misleading in terms of colour and contrast used, that the banner contains both an accept and a reject button, and that consent is as easy for users to give as it is for them to reject. It is worth noting, as mentioned in the report, that any unlawful placement of cookies in contravention of Article 5(3) of the ePrivacy Directive (in particular where no valid consent is obtained where required), means that any subsequent processing of the data collected cannot be compliant with the GDPR.