Listen to this post

On January 18, 2023, the European Data Protection Board (“EDPB”) published its Report on the work undertaken by the Cookie Banner Taskforce (the “Report”).

The positions reflected in the Report result from the coordinated response of EU data protection authorities (“DPAs”) to the complaints filed by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”), that related to the requirements of cookie banners in the EU.

Key Takeaways from the Report

The Report addresses and presents the EDPB’s position on a number of practices that have been under the radar of EU DPAs. Key takeaways from the Report include:

  • The EDPB recalls that the one-stop-shop mechanism introduced by the EU General Data Protection Regulation (“GDPR”) does not apply to cookie-related issues, as cookie rules are set forth under the ePrivacy Directive.
  • The use of pre-ticked boxes to opt-in to the use of cookies does not lead to valid consent.
  • Deceptive “link design” practices that only contain a link to reject the use of cookies and practices giving users the impression that they have to consent to access the website or that clearly push users to give consent are prohibited.
  • Deceptive practices that consist in using different button colors and contrast with a view to highlight the “accept all” button over the available options are prohibited. While the validity of a design should be assessed on a case-by-case basis, all buttons should ideally use the same size, color, font and contrast so as to ensure that consent is freely given.
  • A vast majority of EU DPAs consider that a “reject all” button must be included on the first layer of the cookie banner so as to ensure that the use of cookies is as easy to accept as it is to refuse and that consent is in line with GDPR consent requirements. In this respect, the EDPB indicates that only a few DPAs consider that they cannot retain an infringement in this case as it is not an explicit requirement of the ePrivacy Directive.
  • Claiming reliance on the “legitimate interests” legal basis for the use of non-essential cookies (e.g., targeted advertising cookies) and not collecting valid consent for the use of such cookies is prohibited. The EDPB also clarified that non-compliance with the rules on the use of cookies will result in non-compliance of any subsequent processing of personal data collected through cookies.
  • Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as through the use of a small hovering and permanently visible icon, or a link placed on a visible and standardized place.
  • Inadequately categorizing cookies that serve purposes which would not be considered as “strictly necessary” under the “strictly necessary” cookie bucket is prohibited. The taskforce however recognized the practical difficulty of classifying cookies used on a website, particularly as cookie features change regularly.

Next Steps

The EDPB clarified that the positions laid down in the Report reflect “a minimum threshold” in implementing cookie rules in the EU and “do not constitute stand-alone recommendations or findings to obtain a greenlight from a competent authority.” This means that the Report is independent from the decisions that have been or will be taken in relation to NOYB’s complaints. The content of the Report is however expected to inform or influence DPAs’ decisions about cookies in the future.

Read the Report.