Overview
The European Data Protection Board (EDPB) adopted a draft report of the work undertaken by the Cookie Banner Taskforce (the Report). The Report describes how regulators apply cookie legislation in handling certain types of cookie complaints. While some of the conclusions indicate regulatory unity across the European Union, others confirm divergent views between the regulators.
One of the most relevant findings is that for the vast majority of EU authorities, not having a dedicated ‘reject cookies’ button constitutes an infringement of the law. However, companies are still left wondering whether the reject button should be in the first layer of the cookie banner (as the French Commission Nationale Informatique & Libertés (CNIL) requires) or in one of the subsequent layers (as the Spanish Data Protection Authority (AEDP) allows).
The Report is the result of more than a year of work by the group of EU supervisory authorities and is a response to complaints filed by a digital rights activists’ group NOYB.
In Depth
CAN WE NOW RELY ON ONE STANDARD ACROSS THE EUROPEAN UNION?
For those businesses who hoped that the Report will unify the understanding and enforcement of European cookie legislation, it will disappoint.
Although it is helpful in confirming some long ‘suspected’ positions of EU supervisory authorities, its conclusions make it clear that when it comes to cookies, the rules and their enforcement will continue having a national flavor. Multinational companies will have to either comply with local standards or adopt the maximum common denominator.
REPORT FINDINGS & TAKEAWAYS FOR BUSINESSES
The Report investigates the following cookie banner practices:
- No reject button in the first layer of the cookie banner
What is it about: Some cookie banners contain an ‘Accept’ & ‘Manage Cookies/Preferences’ buttons, but they do not offer dedicated ‘Reject’ cookies button in the first layer (the user has to click on Manage Cookies and then reject cookies by category or one by one, but without being able to click on ‘reject’ in the first instance and reject them all at once).
What is the takeaway: Most, but not all, authorities agreed that a Reject button on any layer is required for compliance with the ePrivacy Directive (ePD), and businesses need to take this into account. Some authorities, like the French CNIL and UK Information Commissioner’s Office (ICO), have been clear in their guidance that a Reject button is required in the first layer of a cookie banner, whilst others, like the Spanish AEPD, retain a less stringent approach, allowing the reject button to be placed in the second layer.
- Preselected consents
What is it about: Some cookie banners contain preselected options for cookies that the website operator wishes to place, even though they are not strictly necessary for the operation of the website and its services.
What is the takeaway: Such preselected consents are not valid under ePD (which applies to the General Data Protection Regulation (GDPR) consent rules).
- Deceptive design of the reject cookie function
What is it about: Instead of providing a Reject button in their banner, some businesses display only a hyperlink (by clicking such a link, the user could either reject cookies or get to the second layer to do so).
What is the takeaway: Such reject links embedded in the text of the banner/outside of the banner entirely, without anything to draw the user’s attention to them, invalidate the consent.
- Deceptive buttons colors and contrast
What is it about: Websites often make the ‘Accept’ button more prominent or attractive for the user to click on that the ‘Reject’ button by using colors or contrast.
What is the takeaway: There is no general standard, and each banner will be reviewed on a case-by-case basis. At least where the Reject button is essentially unreadable (e.g., because the color of the text is identical to the color of the button), this would be considered a misleading practice.
- Use of legitimate interest versus consent
What is it about: Some controllers integrated ‘legitimate interest’ as a legal basis for subsequent processing of data collected via cookies.
What is the takeaway: Authorities confirmed that consent is the only legal basis for placing cookies and accessing cookie IDs (subject to the ePD). The subsequent processing of personal data, however, is subject to the GDPR, which does not limit the legal basis to consent only. The Report, however, fell short of confirming whether legitimate interest specifically could be used for such further processing. Authorities agreed to resume discussions should they encounter concrete cases.
- Inaccurately classified ‘essential cookies’
What is it about: Only cookies that are essential to providing services to the user can be placed without their consent.
What is the takeaway: The Report recognized that cookie classification may be challenging for businesses. Automated cookie classification tools available on the market today are seldom perfect, and companies are forced to dedicate additional internal resources to fully understand what cookies are being placed on their websites (‘false’ essential cookies often originate from third-party providers).
- No consent withdraw icon
What is it about: Controllers must allow users to withdraw their consent given through the cookie banner at any time. Withdrawal must be as easy as it was to give consent.
What is the takeaway: The Report confirms there is no standardized way to do this. For example, businesses can implement a persistent hovering icon on all pages of the website or place a link in a standardized and visible place on the website (which is often a much easier option to implement). Each solution will be assessed on a case-by-case basis.
THE TASKFORCE AND (FURTHER?) NATIONAL ENFORCEMENT
In September 2021, the European Data Protection Board (EDPB) set up a taskforce to coordinate the EU supervisory authorities’ response to hundreds of complaints concerning the alleged cookie banner compliance violations. These complaints were filed with several European Economic Area (EEA) supervisory authorities by the digital rights activists’ group NOYB. This followed national enforcement by EU Member State supervisory authorities in their home countries, such as several rounds of French CNIL’s investigations into cookie compliance practices of private, national and international organizations as well as public bodies; all told, this resulted in tens of orders being issued by the regulator. CNIL also imposed a number of significant fines for not making refusing cookies easy to accept and for placing IDs on users’ devices for advertising purposes without their consent. These fines ranged from €8 million to €150 million.
We expect EU supervisory authorities to continue their enforcement in this area. For many regulators, the placement and reading of cookies being regulated by the ePD, rather than the EU GDPR, became a way to investigate companies they would otherwise have to investigate only in the context of the EU GDPR cooperation mechanism. The EU GDPR’s one-stop-shop allows multinationals to interact with one ‘lead’ EU supervisory authority (usually the country of their EU headquarters) in the context of cross-border data processing (whilst the lead EU supervisory authority then must cooperate with other concerned authorities on the back end).
***
If you have any questions about the implementation of cookie banners or other questions related to tracking technologies, please contact your regular McDermott lawyer or the authors listed below.
