On 18 January 2023, the European Data Protection Board (the “EDPB”) announced the adoption of a report on the work undertaken by the Cookie Banner Task Force (the “Task Force”). The Task Force was formed in September 2021 for the purpose of co-ordinating the responses of its member data protection supervisory authorities in the wake of the hundreds of cookie banner complaints filed by “None of Your Business” (NOYB), the NGO led by privacy advocate Max Schrems.

Per the EDPB’s press release accompanying the report, the Task Force aimed to “promote cooperation, information sharing and best practices between the [supervisory authorities], which was instrumental in ensuring a consistent approach to cookie banners across the EEA”.

Which rules apply?

The report contains valuable guidance for those looking to ensure that their cookie banner practices comply with the relevant legal standards. On the interplay between the ePrivacy Directive (2002/58/EC) and the EU GDPR, it notes that:

• In respect of complaints concerning the “placement or reading of cookies”, the relevant legal framework is the cookie rules set out in the national laws transposing the ePrivacy Directive.
• In respect of concerns regarding any processing of personal data that takes place after storing or gaining access to information stored on the device of a user, the relevant legal framework is the EU GDPR.

It is also confirmed that the EU GDPR’s “one stop shop” mechanism does not apply to matters falling within the scope of the ePrivacy Directive.

Unlawful practices highlighted by the Task Force

In its report, the Task Force highlights 11 practices that are considered to infringe EU law requirements regarding the use of cookies and other web tracking technologies. These include:

1. The absence of a “reject cookies” button on the same layer of a cookie banner as the “accept” button.
2. The use of “pre ticked” boxes on the second layer of a cookie banner, when a user has clicked on the “settings” button available on the first layer (meaning the user would need to “untick” these boxes in order to reject the relevant cookies).
3. The use of a link as opposed to a “reject” button on the cookie banner (for instance, providing a link to a second layer where users can then reject the depositing of cookies).
4. The use of deceptive button colours or contrasts which disproportionately highlight the “accept” or “accept all” button, or obfuscate the alternatives (i.e. the “reject” or “settings” buttons).
5. The claiming of legitimate interests in the second layer of the cookie banner, as a basis upon which the further processing of personal data obtained via cookies takes place. The Task Force notes that by splitting out (i) the initial cookie consent, and (ii) the notion of “legitimate interests” within a deeper layer of the banner, this may confuse users and make them think that they need to refuse twice (when in reality, a user only needs to reject the use of cookies on the first layer).
6. The inaccurate classification of cookies as “essential” or “strictly necessary”, with the consequence that consent is not being sought for their placement on a user’s device. At the same time, the Task Force agreed that assessment of cookies to determine which ones are essential raises practical difficulties, in particular due to the fact that the features of cookies change regularly, preventing the establishment of a stable and reliable list of such essential cookies. The report cited earlier guidance, noting that cookies allowing website owners to retain the preferences expressed by users regarding a service, should be deemed essential.
7. The absence of an easily accessible solution allowing users to withdraw their consent to the placement of cookies at any time. The Task Force mentions mechanisms, such as an icon or link placed in a visible and standardised location but notes that a case by case analysis will always be necessary to determine whether it meets the legal requirement that it is as easy to withdraw as to give consent.

The report is described as representing “the common denominator agreed by the [supervisory authorities] in their interpretation of the applicable provisions of the ePrivacy Directive, and of the applicable provisions of the GDPR”, following the NOYB cookie banner complaints.

The Task Force describes the positions as reflecting “a minimum threshold in this multi-layered legal framework to assess the placement/reading of cookies and subsequent processing of the data collected”. As such they are a starting point and “do not prejudge the analysis that will have to be made by the authorities of each complaint and each website concerned”.

At a time when there has been a lack of consensus between the EU supervisory authorities on GDPR enforcement related to cross-border processing, the clarity contained in this brief document will be welcomed by website operators subject to the EU GDPR and the ePrivacy Directive.

In the UK, cookies compliance has historically been a low enforcement priority for the UK’s Information Commissioner’s Office (the “ICO”). It remains to be seen whether this clear steer from the EDPB will inspire some similarly granular guidance from the ICO on cookie banners.

[View source.]