Rethinking Valid Cookie Consent: EDPB’s Crackdown on Cookie Banners

09/03/2023- The European Data Protection Board (‘EDPB’), in cooperation with multiple data protection authorities, recently published a draft report on the work undertaken by its ‘Cookie Banner Taskforce’ to clarify the minimum threshold for legitimate cookie placement and subsequent data processing. The report comes as a response to hundreds of complaints filed by None of Your Business (noyb), regarding websites using unlawful cookie banners, that are in violation of the consent requirements under the ePrivacy Directive and the GDPR. Given the wide-ranging implications of the report, this blog highlights some of the key practices to avoid when you, as an organization, design a cookie banner for your website.

Cookie Banners: The Gatekeepers of Consent

Cookies are simply small files that a website provider places on the terminal equipment of the user, such as a phone or a computer, when the user visits the website. However, certain cookies - such as those that are not strictly necessary for providing an information society service to the user, or for transmitting electronic communications - can only be placed after the user has provided free and informed consent, as per Article 5(3) of the ePrivacy Directive and Articles 4(11) and 7 of the GDPR.

To that end, cookie banners, if formulated correctly, are an effective mechanism to (i) inform users, (ii) acquire valid consent prior to the processing their data and to (iii) provide real control to users over their consent preferences. However, as we previously discussed here, studies have shown that deceptive tactics have been deployed by website providers to their design interfaces, in order to rely on consent as the legal basis for processing of personal data through cookie use.  

Observations of the Cookie Banner Taskforce

At the onset, the report highlighted how any ‘subsequent processing of data’ under the GDPR is automatically unlawful, if the website provider fails to lawfully acquire consent under the ePrivacy Directive. The CJEU has already ruled that any violations under the ePrivacy Directive falls outside the scope of the One-Stop Shop (OSS) Mechanism, as it is an exclusive competence of the data protection authorities constituted under the GDPR. Consequently, while a website provider might be able to rely on the OSS mechanism for subsequent processing under the GDPR, the website provider will not be able to prevent multiple authorities from taking enforcement actions against any violations under the ePrivacy Directive that precedes any potential violations under the GDPR.

The observations of the taskforce listed below are an indication of the ‘common denominator’ of different data protection authorities’ understanding of GDPR and the ePrivacy Directive pertaining to cookie banners and cookie use. While this collective interpretation does not preclude a case-by-case analysis of a website’s implementation of cookie banners, it does, however, highlight specific practices that are considered problematic, or deemed to be illegal, and ones that website providers should avoid.  

1. Absence of an explicit option to reject cookies at the first layer of the cookie banner (i.e., the layer where the user is provided with an explicit option to accept), but instead relegated to the second layer.
2. Utilizing pre-ticked boxes, as consent is only valid through affirmative action, with a user having to opt-in for any data processing by cookies.
3. Using Deceptive Link design and providing insufficient visual support to the user, such as by linking the option to refuse consent in a paragraph of text or outside the cookie banner, in order to not draw their attention to their ability to revoke consent.
4. Relying on deceptive color contrasting whereby the text for the alternative option to consenting is practically unreadable as the contrast between the color of the text and the button is minimal.
5. Falsely classifying the use of non-essential cookies, such as advertising cookies, as being of legitimate interest to the website provider and therefore not relying on consent.
6. Absence of a permanently accessible option on the website to withdraw consent, such as by way of a small, hovering icon or a prominently located link.
7. Other problematic practices such as the use of misleading colors for options in cookie banners, and unfair classification of the category of cookies as being ‘strictly necessary’ were identified as having to be considered on a case-by-case basis.

Design Choice Implications: Cookie Consent Banner 2.0?

Indeed, the report is still a draft, and does not yet provide exhaustively all the prohibited design patterns, but it is still a crucial part of the EDPB’s continuous efforts to effectively regulate the ‘gatekeepers of consent’, and to shore up the legal requirements of consent. If the new EDPB Guidelines on deceptive design patterns for social media platforms and the Digital Services Act is any indication, design choices of cookie banners by website providers must be reconsidered to ensure that they do not contain any deceptive patterns.

At Considerati, we provide cookie scan services where we analyze the cookies you use, your cookie policy and banner inter alia, and provide advice on how to achieve GDPR and ePrivacy Directive compliance. We will continue to monitor these developments, and should you have any questions about their implications, do not hesitate to contact us.

Do you use cookies to process personal data? Download our flyer for more information.