On the 18th of January, 2023 the EDPB adopted a report on the work undertaken by the Cookie Banner Task Force (Report). The Report reflects the DPAs’ common denominator in their interpretation of the provisions of both the GDPR and the e-Privacy Directive (EPD) regarding the use of cookies and their subsequent processing of data collected.
The key points of the Report
As the Austrian NGO NOYB filled complaints regarding cookie banners with several different DPA’s, a task force was established to promote cooperation, information sharing and best practices among them, in the area of cookie banners and their practices. As a result, the Report reviews the main issues with cookie banners:
- No reject button on the first layer. As noted by the task force, some data controllers include the option to accept cookies, however, do not provide an option to reject them within the same banner. On this regard, it was noted that no cookies which require consent can be set without a consent and that consent must be expressed by a positive action on the part of the user. Removing the option to refuse the cookies results in the invalidity of the provided consent, e.g., the Spanish DPA fined Vueling Airlines EUR 30,000 for not giving users the ability to refuse their cookies and force them to use them if they wanted to browse its website
- The use of pre-ticked boxes. As reminded by the task force, pre-ticked boxes or inactivity do not constitute consent. This has also been highlighted in EDPB’s Guidelines 3/2022 on Dark patterns in social media platform interfaces. This is another common mistake, that can lead to a fine, as seen in the example of SA Rossel & Cie and Roularta Media Group, where the Belgian DPA fined both companies EUR 50,000 for violations related to the use of cookies.
- The use of a link, instead of a button, as an option to reject cookies. The task force provided two examples of cookie banners where the only alternative action (other than granting consent consists of):
1. A link behind the wording to refuse the cookies, without visual support to draw an average user’s attention to this alternative action; and
2. A link behind the wording to refuse the cookies, placed outside the cookie banner.
- These of deceptive button colours and contrast. In this particular regard, the task force pointed out the cookie banners that, in terms of colours and contracts of the buttons, may confuse the data subject and highlight “the accept all” button over the other available options. As was the case with the cookie banner practices mentioned above, the information provided to the data subject must be clear, and allow them to make an informed decision about the cookies they wish to consent to. Any deviations from this practice, will in most cases lead to an invalid consent.
- Legitimate interest claimed, list of purposes. As explained by the task force, some banners highlight the possibility to accept the storage of data and the reading of their previously stored data, but do not provide an option to refuse this at the same level. On the second level of the banner, the distinction is made between the refusal given to read/write operations and the potential objection to further processing presented as falling within the legitimate interest of the data controller. In those cases:
1. it appears that legitimate interest is used for different processing activities, such as creation of personalised content profile or ads;
2. The integration of legitimate interest for subsequent processing may confuse the data subject due to the requirement to refuse twice in order not to have their personal data processed.
- Inaccurately classifying cookies as essential. The obligation to ensure an accurate classification of cookies lies with the data controller. The task force highlighted the use of specific tools that help analyse the website and reminded the Opinion 04/2012 on Cookie Consent Exemption, that both help in the correct classification of necessary cookies.
- No “withdraw” icon. In order for the consent to be valid, the users of the website must have an easy option to change their previously given consent. For this, the task force highlighted the use of a link or an icon in a visible and standardized place.
With the aim of the Report being the harmonised application of both the GDPR and the EPD by the DPA’s, the outlined practices should be taken seriously by data controllers. Whilst there isn’t a universally imposed obligation on one standard of cookie banners, with the Report, the generally agreed on poor practices have been determined, allowing data controllers to review their own cookie banners.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related cookie banner compliance, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė