What’s this about?
Cookie compliance is a very hot topic with enforcement action by European regulators increasingly on the rise where significantly high fines have been imposed on organisations for non-compliance.
Cookies are small data files stored on a user’s device such as their computer which allow an online service to recognise a user and store certain information about them such as login details. Cookies are also commonly used to target advertising at a user based on their browsing history. A cookie banner is a tool that lets a user know about a website’s cookie use and typically contains buttons that relate to managing user consent to cookie use. Typically the cookie banner has a so-called “first layer”, which is what a user will immediately see when they go on a website, often located at the bottom of the screen, and also a so-called “second layer” which a user usually gets to after they have first clicked on a so-called “settings” button in the first layer.
The European Data Protection Board (EDPB, an independent EU organisation made up of the EU country data protection regulators) recently adopted a report on the work undertaken by the so-called “Cookie Banner Taskforce” which was set up by the EDPB in September 2021 in order to co-ordinate the response to the large number of complaints about cookie banners made by the organization NOYB (my privacy is “None Of Your Business”) to several EU data protection regulators. This article takes a look at the report.
What the report is about – general
In general terms:
- The positions presented in the report reflect common denominators agreed by the regulators in their interpretation of the applicable provisions of both the EU ePrivacy directive and of EU GDPR for the analysis to be undertaken when handling these complaints;
- These positions reflect a minimum threshold in this multi-layered legal framework to assess the placement/reading of cookies and subsequent processing of personal data collected;
- The positions do not constitute stand-alone recommendations or findings to obtain a greenlight from a regulator;
- The positions do not prejudge any analysis that will have to be made by the regulators of each complaint and website concerned; and,
- These positions also have to be combined with the application of additional requirements under national legislation (of the EU countries) that implement the EU ePrivacy directive as well as any national guidance.
What the report is about – specific
The report draws conclusions about a series of cookie banner practices as follows (with key statements in the report underlined by Cordery):
- Type A Practice: No reject button in the first layer:- This is where a cookie banner has a button to accept the storage of cookies and a button that allows an individual to access further options but doesn’t have a button to reject cookies. According to the report, when regulators “[…] were asked whether they would consider that a banner which does not provide for accept and refuse/reject/not consent options on any layer with a consent button is an infringement of the [EU] ePrivacy Directive, a vast majority of [the regulators] considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement”;
- Type B Practice: Pre-ticked boxes:- This is where a cookie banner provides users with several options, which, typically, represent each category of cookies to be stored, with pre-ticked boxes in the second layer of the cookie banner. According to the report, “[t]he taskforce members confirmed that pre-ticked boxes to opt-in do not lead to valid consent as referred to either in” EU GDPR or the EU ePrivacy Directive”;
- Type C Practice: Deceptive link design:- This is where a cookie banner contains a link, i.e. not a button as such, as an option to reject the deposit of cookies on a user’s device, which could be a direct link to reject cookies or a link to a second layer where a user can reject the deposit of cookies. According to the report, “[t]he taskforce members agreed that […] there should be a clear indication on what the banner is about, on the purpose of the consent being sought and on how to consent to cookies. The members agreed that for the consent to be valid, the user should be able to understand what they consent to and how to do so. In order for a valid consent to be freely given, the taskforce members agreed that in any case a website owner must not design cookie banners in a way that gives users the impression that they have to give a consent to access the website content, nor that clearly pushes the user to give consent […]. The taskforce members agreed that the following examples do not lead to valid consents (non-exhaustive list):
– the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action
– the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame”;
- Type D & E Practices: Deceptive button colours & deceptive button contrast:- This is where the configuration of a cookie banner in terms of colours and contrasts of the buttons, such as a contrast ratio between the accept button and the background, could lead to a clear highlight of the “accept all” button over the available options. According to the report, “[t]he taskforce members agreed that a general banner standard concerning colour and/or contrast cannot be imposed on data controllers. In order to assess the conformity of a banner, a case-by-case verification must be carried out in order to check that the contrast and colours used are not obviously misleading for the users and do not result in an unintended and, as such, invalid consent from them. […] Based on concrete examples, the taskforce members took the view that at least this practice could be manifestly misleading for users:
– an alternative action is offered (other than granting consent) in the form of a button where the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user […]”;
- Type H Practice: “Legitimate interests” claimed:- This is where there is a banner which highlights the possibility of accepting the read/write operation at the first level of the banner but does not include an option to refuse at this level, which can lead the average user to believe that they have no possibility of objecting to the deposit of cookies at all […]. In addition, at the second level of the banner, there is a distinction made between the refusal given to read/write operations and the potential objection to further processing presented as falling within the so-called “legitimate interests” of the data controller. Under EU GDPR “legitimate interests” is one of several lawful bases under which personal data can be processed – others include consent. According to the report, it appears that “legitimate interests” has been relied on for different processing activities such as “Create a personalised content profile” or “Select personalised ads”, but “[…] it could be considered that no overriding legitimate interest would exist for such processing activities”. Further, “[t]he integration of this notion of legitimate interest for the subsequent processing “in the deeper layers of the banner” could be considered as confusing for users who might think they have to refuse twice in order not to have their personal data processed”. In addition, “[…] the TF members confirmed that the legal basis for the placement/reading of cookies [under the EU ePrivacy directive] cannot be the legitimate interests of the [data] controller”;
- Type I Practice: Inaccurately classified “essential cookies”:- This is where cookies are classified as “essential” or “strictly necessary” cookies (i.e. cookies which are essential for a website to function correctly, for which consent is not required) and processing operations which use personal data and serve purposes which would not be considered as “strictly necessary” under the EU ePrivacy directive or EU GDPR. According to the report, “[…] the assessment of cookies to determine which ones are essential raises practical difficulties, in particular due to the fact that the features of cookies change regularly, which prevents the establishment of a stable and reliable list of such essential cookies”;
- Type K Practice: No withdrawal icon:- This is where a banner provides an option allowing to withdraw consent, with different forms of options, but without displaying a small hovering and permanently visible icon on all pages of the website that allows individuals to return to their privacy settings, where they can withdraw their consent. According to the report, “Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place.” Further, “[a] case-by-case analysis of the solution displayed to withdraw consent will always be necessary. In this analysis, it must be examined whether, as a result, the legal requirement that it is as easy to withdraw as to give consent is fulfilled.”
Cookie non-compliance carries risk for organisations. Although the cookie banner report is not legally-binding it is a timely alert to the compliance issues involved and accordingly organisations should consider:
- Reviewing their cookie banners to determine whether their cookies banners, in terms of their set-up, appearance and the language used in them, are in line with the report’s findings along with any case-law and guidance of European regulators – whilst a one-size-fits-all approach may be desirable the local situation should be checked. Whilst some issues are more straightforward such as no pre-ticked boxes, there are a number of subtle issues to consider such as the use of colours and contrast; and,
- Checking actual cookies their websites are using, including determining whether cookies are really “essential” cookies or not. Another key issue to review here is the retention period for cookies, which, generally-speaking, should not be long.
We run cookies clinics to help with cookie compliance – for more information see here: https://www.corderycompliance.com/more-cordery-solutions/cordery-cookies-clinic/.
We have written about cookies here, including: https://www.corderycompliance.com/ea-cookies-01/, here https://www.corderycompliance.com/french-regulator-cnil-fines-data-controller-and-data-processor-for-security-breach-sets-deadline-for-cookies-compliance/, and here: https://www.corderycompliance.com/cnil-cookies-investigation/.
We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/
The European Data Protection Board’s Report can be found here: https://edpb.europa.eu/our-work-tools/our-documents/report/draft-report-work-undertaken-cookie-banner-taskforce_en
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|