On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.
The Cookie Banner Taskforce was established by EU data protection authorities to examine and provide a coordinated response to the complaints raised by the non-profit organization None of Your Business (NOYB), which is co-founded by Max Schrems.
Some of the key highlights include the following:
- Legal basis for subsequent processing: The report confirms that, while placing cookies to users’ devices is subject to the e-Privacy Directive, the GDPR will apply to any subsequent processing operation that is carried out after cookies are placed. This means that such subsequent operations do not necessarily have to be based on “consent” and website owners can rely on an another lawful basis under Article 6 of the GDPR. If, however, website owners rely on consent for “subsequent processing”, the report indicates that they can collect that at the same time as they collect the consent required by the e-Privacy Directive. That said, the authorities take the view that, if a website owner fails to comply with the e-Privacy Directive when dropping cookies (in particular when consent is not obtained validly), any subsequent processing will automatically result in infringement of the GDPR.
- One-stop shop: The report clarifies that the One Stop Shop mechanism under the GDPR (which allows EU based companies to deal with a single supervisory authority for most of their processing activities) is not applicable where the e-Privacy Directive applies. This means, regardless of where the relevant organization is based (whether in the EU or not) or the nature of its data processing operations (whether cross-border or not), it is possible for multiple authorities to take enforcement action in respect of alleged infringements of the e-Privacy Directive.
- Whether to have a “reject” option in cookie banners: There seems be to a difference in opinion between the authorities on whether there should be an explicit “reject” button in cookie banners where such banners already contain a button to ‘accept’ cookies (or equivalent) and another button that allows users to access ‘further options’. While the report states that a vast majority of authorities considered the lack of “reject” option as an infringement, it appears there are still a few authorities that do not consider this as a clear infringement of the e-Privacy Directive.
- Pre-ticked box: Consistent with past guidance of the EDPB and CJEU case law, pre-ticked accept boxes are not sufficient to obtain consent so should not be used, including on the second layer of the cookie banner.
- Design: The report highlights certain problematic practices when it comes to designing cookie banners. These include:
- cookie banners where the only action offered to users (other than granting consent) consists of a link behind wording such as “refuse” or “continue without accepting” embedded in a paragraph of text (and where there is no sufficient visual support to draw an average user’s attention that they can take this action);
- configuring colors and contrasts of the buttons to highlight “accept all” button over the other available options. That being said, the authorities agree that a case-by-case analysis is needed to determine whether a configuration would amount to an infringement.
- Essential and Strictly Necessary Cookies: The authorities seem to appreciate that whether a cookie is “strictly necessary” or “essential” is difficult to assess in practice. However the report refers to the criteria cited in the opinion No. 4/2012 on Cookie Consent Exemption of WP29 (available here) as useful guidance.
- No withdraw icon: It is noted by the authorities that some controllers are not providing users with easily accessible solutions to withdraw consents and that this is an infringement of the e-Privacy Directive. The authorities set out some potential solutions. For example: including an icon (small hovering and permanently visible) or a link placed on a visible and standardized place; however the authorities did not impose a specific method and left it to website owners to determine how best the legal requirement that it should be as easy to withdraw consent as to give it is fulfilled in practice.
While the positions outlined in the report do not constitute stand-alone recommendations or findings to obtain a greenlight from a competent data protection authority, the report presents a “minimum threshold” for data protection authorities and therefore provide guidances to authorities on how to handle complaints in connection with cookies.