09/03/2023- The European Data Protection Board (‘EDPB’), in cooperation with multiple data protection authorities, recently published a draft report on the work undertaken by its ‘Cookie Banner Taskforce’ to clarify the minimum threshold for legitimate cookie placement and subsequent data processing. The report comes as a response to hundreds of complaints filed by None of Your Business (noyb), regarding websites using unlawful cookie banners, that are in violation of the consent requirements under the ePrivacy Directive and the GDPR. Given the wide-ranging implications of the report, this blog highlights some of the key practices to avoid when you, as an organization, design a cookie banner for your website.
Cookies are simply small files that a website provider places on the terminal equipment of the user, such as a phone or a computer, when the user visits the website. However, certain cookies - such as those that are not strictly necessary for providing an information society service to the user, or for transmitting electronic communications - can only be placed after the user has provided free and informed consent, as per Article 5(3) of the ePrivacy Directive and Articles 4(11) and 7 of the GDPR.
To that end, cookie banners, if formulated correctly, are an effective mechanism to (i) inform users, (ii) acquire valid consent prior to the processing their data and to (iii) provide real control to users over their consent preferences. However, as we previously discussed here, studies have shown that deceptive tactics have been deployed by website providers to their design interfaces, in order to rely on consent as the legal basis for processing of personal data through cookie use.
At the onset, the report highlighted how any ‘subsequent processing of data’ under the GDPR is automatically unlawful, if the website provider fails to lawfully acquire consent under the ePrivacy Directive. The CJEU has already ruled that any violations under the ePrivacy Directive falls outside the scope of the One-Stop Shop (OSS) Mechanism, as it is an exclusive competence of the data protection authorities constituted under the GDPR. Consequently, while a website provider might be able to rely on the OSS mechanism for subsequent processing under the GDPR, the website provider will not be able to prevent multiple authorities from taking enforcement actions against any violations under the ePrivacy Directive that precedes any potential violations under the GDPR.
The observations of the taskforce listed below are an indication of the ‘common denominator’ of different data protection authorities’ understanding of GDPR and the ePrivacy Directive pertaining to cookie banners and cookie use. While this collective interpretation does not preclude a case-by-case analysis of a website’s implementation of cookie banners, it does, however, highlight specific practices that are considered problematic, or deemed to be illegal, and ones that website providers should avoid.
Indeed, the report is still a draft, and does not yet provide exhaustively all the prohibited design patterns, but it is still a crucial part of the EDPB’s continuous efforts to effectively regulate the ‘gatekeepers of consent’, and to shore up the legal requirements of consent. If the new EDPB Guidelines on deceptive design patterns for social media platforms and the Digital Services Act is any indication, design choices of cookie banners by website providers must be reconsidered to ensure that they do not contain any deceptive patterns.