EU EDPB adopts report on the use of cookie banners

The Task Force was established in September 2021 to coordinate the response to complaints concerning cookie banners filed with several EEA Supervisory Authorities (SAs) by the non-profit organisation none of your business (noyb). The Task Force aimed to promote cooperation, information sharing and best practices between SAs in order to ensure a consistent approach to cookie banners across the EEA. 

In the report, the SAs agreed upon a common position on their interpretation of applicable provisions of the ePrivacy Directive and the GDPR in relation to cookie banners, including on the following issues:

• Reject Buttons: the vast majority of SAs considered that the absence of a ‘reject option’ on any layer that has a ‘consent option’ is not in line with the requirements for valid consent. However, a few SAs highlighted that the ePrivacy Directive does not make reference to a ‘reject option’ and therefore did not consider the absence of one infringed the law;
• Pre-Ticked Boxes: it was noted that a number of website operators present options to users via pre-ticked boxes (e.g. to select categories of cookies on the second layer of a cookie banner). The SAs confirmed that the use of pre-ticked boxes to opt-in to the placing of cookies does not lead to valid consent;
• Banner Design: there should be a clear indication of what the banner is about, on the purpose of the consent being sought and on how to consent to cookies. The report gives examples of various approaches that do not lead to valid consent, including practices the SAs consider deceptive. In addition, the SAs agreed that in relation to design choices, a cookie banner standard could not be imposed on website operators. They emphasised that each specific cookie banner should be assessed on a case-by-case basis to consider whether the design choices (including the use of button colours and contrast) are misleading and result in an invalid consent from users;
• Legitimate interest: the report considers how legitimate interest is sometimes used as a lawful basis to justify subsequent processing of personal data collected from cookies. The report concludes that to be lawful, the initial storage and access of personal data via cookies must comply with the ePrivacy rules (i.e. consent is required unless the cookie is ‘strictly necessary’) and subsequent processing must comply with the GDPR. The SAs agreed to resume discussions on the use of legitimate interests in the context of cookies should they encounter concrete cases where further discussion would be necessary to ensure a consistent approach; and
• Withdraw Icons: website operators should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as a small, hovering and permanently visible icon or a link placed on a visible and standardised place. However, the SAs agreed that a case-by-case analysis of the method displayed to withdraw consent will always be necessary (as opposed to imposing one solution). As such, the legal requirement that it is as easy to withdraw as to give consent is fulfilled would need to be considered in respect of each of these solutions.

The report clarifies that the positions outlined in the report should not be read as setting out the requirements of any SA in respect of a specific complaint and/or specific website, rather they represent a minimum, common standard.

The EDPB emphasises that the findings of the report must be combined with the application of additional national requirements stemming from the national laws transposing the ePrivacy Directive in the Member States, as well as to further clarifications and guidance provided by the relevant SA to enforce the law transposing the ePrivacy Directive at national level, which should remain fully applicable.

Read the EDPB press release here and the report here.

This entry was first published by aosphere.