Guidelines of the European Data Protection Board with regards to Cookie Banners

Guidelines of the European Data Protection Board with regards to Cookie Banners

March 27, 2023

On 18 January 2023, the European Data Protection Board (“the EDPB”) published the Report of the work undertaken by the Cookie Banner Taskforce (“the Report”), which issues were outlined in the complaints of the European Center for Digital Rights (“NOYB”).

Namely, NOYB filed hundreds of complaints to data protection authorities throughout the EU, with regards to the use of banners, which primarily referred to the mode of accepting and rejecting cookies, as well as the design and characteristics of banners.

Therefore, the Report enacted the guidelines on interpretation of provisions of the Directive on Privacy and Electronic Communications 2002/58/EC (“the Directive”), as well as provisions of the GDPR.

The Report comprises of nine sections that analyse eight violations of personal data referred in NOYB complaints. In the upcoming text, we will present an overview of key issues elaborated in the Report.

  1. Modes of accepting and rejecting cookies

The Report focused special attention on cookie rejection option on the banner. Namely, most data protection authorities deem that cookie rejection option needs to be displayed at the same level where the button for cookie acceptance is located on the banner; therefore, any opposite activity of data controller/processor represents violation of provisions of the GDPR and the Directive.

In addition, it was underlined that cookies (except for essential ones) can be installed and used only upon consent, while consent implies a positive action of the data subject.

  1. Pre-ticked boxes on the banner

The EDPB taskforce established in the Report that several controllers provide users with several options referring to different cookie categories with pre-ticked boxes for consent to data collection and processing that are located on the second layer of the cookie banner (available after the user clicks on the “Settings” button on the first layer). Accordingly, the Report notes that such practice is not in compliance with the provisions of the Directive and the GDPR, that thus given consent of the data subjects cannot be considered as valid.

  1. Deceptive link design

The Report further notes that, if the banner contains a link instead of an optional button for cookie rejection, it is deemed that there is no valid consent of the data subject. Namely, it appears that the controllers designing banners in the stated manner create an impression that the users must give consent in order to access the website.

In relation thereto, the Report outlines the following examples of misleading banner design that cannot lead to valid users’ consent:

  • if the only alternative action offered on the banner (other than granting consent) is to click a link behind words “refuse” or “continue without accepting”, while this option does not have sufficient visual support to draw an average user’s attention to the possibility of rejection;
  • if the only alternative action offered on the banner (other than granting consent) is to click a link behind words “refuse” or “continue without accepting” placed outside the cookie banner where the buttons to accept cookies are presented, while the reject option outside the banner option does not have sufficient visual support to draw an average user’s attention.
  1. Deceptive colours and contrast of buttons on the banner

 The following issue elaborated in the Report is the use of deceptive button colours and contrast (contrast ratio between the accept button and the background) on the banners, which leads to a clear highlight of the “accept all” button over the other available options.

The EDPB taskforce concluded that a general banner standard concerning colour and/or contrast cannot be imposed on data controllers. Instead, a case-by-case analysis would be necessary in order to check that the contrast and colours used are not obviously misleading for the users and do not result in an invalid consent from them.

However, the taskforce also took the view that the controllers’ practice according to which an alternative option (other than granting consent) in the form of a button where the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user is manifestly misleading for users and therefore against the provisions of the Directive.

  1. Inaccurately classified essential cookies

 The EDPB taskforce members agreed that many controllers classify as “strictly necessary” cookies and processing operations which serve purposes which would not be considered as “strictly necessary” within the meaning of Article 5(3) of the Directive or under the GDPR.

In relation thereto, the Report underlines the fact that the assessment of cookies to determine which ones are strictly necessary raises practical difficulties, in particular due to the fact that the features of cookies change regularly, which prevents the establishment of a stable and reliable list of such essential cookies.

Namely, the taskforce considered the possibility of establishing a list of essential cookies used by websites and responsibility of website owners to maintain such lists and provide them to the competent authorities. However, as the Report concludes, the only available tools do not allow to check the nature of the cookies but only to list the cookies placed, which might present grounds for the competent authorities to seek further clarifications and information from the website owners regarding their nature.

Purpose and significance of the Report

The main goal of establishing this taskforce was to promote cooperation, information exchange and creation of uniform practice among EU authorities in charge of personal data protection with regard to proper and consistent banner use.

Although the views of the EDPB taskforce presented in the Report represent joint conclusions of the competent authorities with regard to interpretation and application of the provisions of the Directive and the GDPR, the EDPB underlined that they are not legally binding. Nevertheless, they will certainly have impact on the practice of the acting European bodies for surveillance in the field of personal data protection and accordingly to related authorities in other states that refer to the European practice, such as the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.