Home / Publications / Consistency between Data protection Authorities on...

Consistency between Data protection Authorities on Cookies

27/02/2023

The EDPB published a report on the work undertaken by the Cookie Banner Taskforce (currently in draft form). The task force was set up ad hoc in September 2021 to coordinate the responses to complaints about cookie banners submitted to the different Member State Supervisory Authorities by Maximilian Schrems’ organisation (NOYB).

The task force was formed to encourage cooperation and sharing of information and best practices among data protection authorities. This is critical to ensuring the most consistent and harmonised approach to cookie banners across the European Economic Area.

Within the report above, the supervisory authorities thus agreed on a common denominator in their interpretation of the applicable provisions of Directive 2022/58/EC (concerning the processing of personal data and the protection of privacy in the electronic communications sector) and the GDPR on several interesting issues, such as:

-        applicable regulatory framework;
-        rejection buttons;
-        pre-selected boxes;
-        misleading banner design;
-        misleading colours of buttons;
-        assertion of legitimate interest;
-        inaccurate classification of essential cookies;
-        icons for revoking consent.

Let us look in more detail at the seven categories declined in this document:

  1. the “reject” button must be displayed on the first layer: the user should be able to reject the entire group of optional cookies (because they are technically not “essential”) using a special button from the start; the EDPB does not intervene here on terminology, admitting the equivalence between formulas such as “refuse”, “reject”, “do not consent”, and similar;
  2. pre-selected boxes must be avoided: the EDPB claims as invalid any pre-selection (which has been repeatedly stated);
  3. Misleading link design: a link (i.e., a word or phrase with a further hyperlink, e.g., to a second layer of the banner) should not be adopted in place of the rejection button; the EDPB points out that “in any event, the owner of a website must not design the cookie banner in such a way as to give users the impression that they have to give consent to access the content of the website, nor that it prompts the user to give consent”; 
  4. Misleading button colour: a general banner standard concerning the colour and/or contrast of buttons cannot be imposed by the EDPB; it must be verified on a case-by-case basis that the contrast and colours used “are not blatantly misleading for users and do not lead to unintended and, as such, invalid consent”;
  5. Declared legitimate interest: the use of the legal basis of legitimate interest is generally wrong; moreover, the practice of “hiding” it in the second layer of the banner with the possible inherent objection to the processing button constitutes a deception, making the user believe that the user must “refuse” (i.e., take action) twice to avoid processing (first the consensual basis, then the legitimate interest);
  6. Non- “essential” cookies: indicating as essential (i.e. mandatory) cookies that are not essential is unlawful; the EDPB states that "practical difficulties", in particular, because the characteristics of cookies change regularly," prevent the creation of a stable and reliable list of this type of cookie, assessed on a case-by-case basis; the EDPB recalls that there are various tools to draw up the list of cookies but that they are not necessarily reliable or able to classify them correctly; therefore, the final assessment and classification must always and only be carried out by the data controller; for some examples, the EDPB refers however to the Opinion WP29 of 2012, where several examples are present, e.g. the case of the cookie used to maintain user preferences;
  7. No withdrawal icon: once the banner has been closed, the user should always be able to easily find - e.g., as a floating icon or at least a visible link in the footer - an option to review one's cookie choices, mainly to ensure that one can withdraw one's consent as easily as one has given it; once again, no specific solution is imposed here, referring to a case-by-case analysis.

Since the supervisory authorities retain their spheres of autonomy, the 2021 Cookie Guidelines of our Data Protection Authority could remain unchanged; however, future assessments by our Data Protection Authority will undoubtedly have to consider the supplementary indications and interpretative insights offered by the EDPB report, although they may depart from it in a reasoned manner.

Authors

Portrait ofMatia Campo
Matia Campo
Partner
Rome
Portrait ofSilvia Di Virgilio
Silvia Di Virgilio