On 18 January 2023, the European Data Protection Board ("EDPB") published a report on the work undertaken by its Cookie Banner Task Force to ensure a uniform approach regarding a number of cookie-banner-related complaints filed by Max Schrems' organization NOYB in all member states. These complaints have resulted in decisions by the Austrian, French, Italian, Danish and Spanish supervisory authorities in relation to the use of Google Analytics cookies.
In the report of 18 January 2023, the EDPB set out an agreement between the EU supervisory authorities on a common interpretation of the provisions of the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation ("GDPR") applicable to the use of cookies.
1. Applicable legal framework
According to the report, both the national laws implementing the ePrivacy Directive ("ePrivacy Laws") and the GDPR govern the use of cookies. While the ePrivacy Laws concern the placement of cookies (and similar technologies) to devices, the GDPR concerns the subsequent processing of personal data upon placing the cookie(s).
The EDPB recalled that the one-stop-shop principle does not apply in relation to issues falling within the scope of the ePrivacy Directive. In addition, having a website that is accessible in several or all EU member states does not automatically trigger the one-stop-shop mechanism set out in the GDPR in regard to the competent supervisory authority. Rather, this will be decided on a case-by-case basis.
2. Common mistakes when using cookies
The EDPB then summarized its view on the most common mistakes companies make when trying to address the ePrivacy Directive and the GDPR.
- No "reject all" button on the first layer. If there is an option to accept all cookies on a certain layer of the cookie banner, there must also be a "reject all" on the same layer, as "a vast majority" of the authorities noted.
- Using "pre-ticked" boxes, for example in the "settings", hinders obtaining valid consent. Therefore, all non-strictly necessary cookies should be turned off by default.
- Deceptive "link" design. The user must be able to understand what s/he consents to and how to do so. Any design that "pushes" the user to give consent or that gives the impression that the website may only be used when the user consents to all cookies will lead to the consent being invalid. The report lists two examples where the "accept all" option was in the form of a button whereas the "refuse" option was in form of a link embedded in some text or outside of the cookie banner in a way that did not daw the user's attention to it.
- Deceptive "button" design. Similar to the deceptive link design, a layout of a cookie banner in terms of contrast and color could be misleading and result in an unintended and thus invalid consent. The EDPB takes the view that a general banner standard regarding coloring and contrast cannot be imposed but that the conformity must be assessed on a case-by-case basis.
- Wrong legal bases and confusing refusal options. According to Article 5 (3) of the ePrivacy Directive (and the ePrivacy Laws), all cookies that are not strictly necessary for the operation of a website require consent. In contrast, for subsequent personal data processing, theoretically, any legal bases according to Art. 6 (1) GDPR, can be leveraged. However, the lawful processing of personal data collected through cookies requires that the placing of the cookie was lawful in the first place (i.e., in accordance with the ePrivacy Directive). In addition, the EDPB appears to indicate that relying on legitimate interest to "create a personalized content profile" or "select personalized ads" cannot be based on an overriding legitimate interest on the part of the data controller. The wording of the report leaves it unanswered whether this merely applies in the specific case or whether this legal basis is to be excluded in general for the mentioned purposes. In the example given by the EDPB, the cookie banner was also designed in such a way that it was not clear how the users could object to the processing of their personal data.
- Wrongfully claiming cookies are "essential" or "strictly necessary". According to the ePrivacy Directive, an exception to the requirement to obtain the prior consent of users applies only to those cookies that are strictly necessary for the operation of the website. It is a duty to keep this list of such cookies up-to-date, even in light of changing regulatory requirements. Concerning the question of which cookies are mandatory, the EDPB refers to Opinion 04/2012 on Cookie Consent Exemption of the Art. 29 working party.
- No easy way to withdraw. Effective consent requires that it can be withdrawn at any time and in a manner as easy as to provide consent. This means that if consent has been given by means of a button, a withdrawal option can be provided by either a permanently visible floating button or a link placed on a visible and standardized place (such as on the footer of the website). However, there is no compulsory way of implementing such withdrawal, as long as the solution is easy.
3. Did the EDPB's report create any new requirements?
Many of the practices criticized in the report have also been viewed critically by data protection authorities in the past (such as the French CNIL, see here) and the opinion of the EDPB is in line with guidance by the supervisory authorities (such as the Austrian supervisory authority).
For example, in a comment of the report by the German Federal Data Protection Commissioner on its website, it refers to the EDPB guidelines on dark patterns that were adopted in March 2022 and the German data protection authorities guidance on telemedia that imply similar standards.
Overall, no requirements were set that are completely new. However, the new report collates the relevant previous requirements together in a readily accessible form.
4. Are supervisory authorities bound by contents of the report?
Since the ePrivacy Directive must be implemented in ePrivacy Laws by the individual member states, there may still be local differences in relation to the setting of cookies, something made clear in the EDPB report. However, local supervisory authorities would likely not substantially deviate from these standards.
It can be hoped and assumed that this report represents a step towards a more consistent and uniform interpretation of the EU's data protection regulations, which will make business easier, especially in the case of websites that target multiple EU jurisdictions or are set up in the same manner for each local domain. At the same time, it is likely to become more difficult to take a different approach.
5. To Dos for Companies
- Companies should check websites to see to what extent cookies are deployed and revise the cookie banner setup.
- Dark patterns nudging the user to consent to cookies must be avoided.
- Active consent must be obtained on user's devices prior to implementing cookies that are not strictly necessary.
- An easy option to reject and also withdraw consent must be provided.