On January 18 the European Data Protection Board published a report with the findings of its cookie banner task force. The report clarifies how to validly collect consent through a GDPR-compliant cookie banner. Most of it boils down to one simple rule: don’t deceive the user.
The document is not legally binding, but will surely have an impact on the enforcement of cookie rules. In fact, it may very well be the start of a crackdown on deceptive cookie banners throughout Europe.
- What are the EDPB and the cookie banner task force?
- What cookies are we talking about?
- What does the report say?
- Will we see a crackdown on cookie banners?
- Conclusions
Let’s dive in!
What are the EDPB and the cookie banner task force?
Let’s start with some context. The European Data Protection Board (EDPB) is an independent body of the European Union which ensures consistent enforcement of EU data protection law across Member States. It is composed of representatives of every data protection authority (DPAs) in the European Economic Area, as well as the European Data Protection Supervisor (essentially a DPA overseeing EU institutions).
The Board frequently publishes guidelines, which are not legally binding but highly influential in practice. The body also has other powers based on the GDPR, such as settling disagreements between DPAs (as in the recent decisions concerning Meta, which we covered on our blog).
The EDPB set up the cookie banners task force in 2021 in order to ensure a coherent approach to a set of complaints filed by privacy NGO noyb, in an effort to nudge authorities towards stricter enforcement of the GDPR and the ePrivacy Directive. The strategy seems to be paying off and noyb looks quite happy with the outcome.
The report from the task force is not binding and should not be taken as “the law”. That being said, the EDPB is composed of DPA representatives, and DPAs themselves decide cookie complaints, so the document is a good indication of how cases might be handled from now on.
What cookies are we talking about?
To be clear, cookie banners are about non-essential cookies. This is an important distinction because the ePrivacy Directive of the EU mandates consent for cookies unless they are either necessary for communication, or to provide a service requested by the user (so-called “essential” cookies).
For instance, online retailers use cookies to track items in a user’s shopping cart. These cookies qualify as essential cookies and do not need consent. Likewise, cookies for security purposes do not require consent. On the other hand, non-essential cookies such as web analytics cookies and marketing cookies always require consent. This is why you see so many cookie banners on the Internet.
Websites need your consent for non-essential cookies. At the same time, they are (rightly) afraid that you may not agree to being tracked when presented with a transparent choice. This is why many cookie banners are cleverly designed to make the process of refusing cookies as confusing and annoying as possible. This is an instance of deceptive design: shady UI design choices meant to nudge or trick the user into taking a desired action. We already covered the topic on our blog a while ago.
The task force’s report reads like a nice summary of the most common instances of deceptive design in cookie banners and embodies a very clear stance: don’t.
What does the report say?
First, the vast majority of DPAs agreed that cookie banners must provide the user with a reject all option on the first layer (or with some understandable, clearly worded option to the same effect).
This is a big deal. Many banners do not offer a reject option directly, but rather present the user with choices such as accept all versus customize in the first layer. In order to reject cookies, the user must click the customize option and access a second layer of the banner with more detailed information, where the option to reject non-essential cookies is finally provided. Cookie banners without an immediately accessible reject option are confusing and unfairly leverage click fatigue against the user. We can’t wait to see them go.
To be clear, offering your user more fine-tuned control over cookies is ok, as long as you offer a reject option in the first layer. So a first layer offering a three-way choice such as accept all/reject all/customize is fine, provided that all three options are equally visible and accessible.
The report also condemns other common practices, including:
- using pre-ticked boxes to collect valid consent. We already have case law on the issue of pre-ticked boxes1, but some websites use them anyway.
- hiding the reject button with small fonts, low-contrast colors and such.
Bottom line: any clever trick to get the user to accept cookies, is probably illegal.
Will we see a crackdown on cookie banners?
We can’t predict the future, but we sure hope so, and we have good reasons to think so.
As we explained, the report describes a common ground which has been found by DPAs themselves. The document may not be binding, but DPAs are likely to stick to it when enforcing the rules.
Furthermore, there are encouraging developments in France. Around the same time the report was published, the French DPA (CNIL) fined TikTok and Microsoft for violating the ePrivacy Directive (we wrote about the cases here). In both cases, the violations included the lack of a reject button in the first layer of cookie banners- which just so happens to be one of the issues tackled by the EDPB task force. The CNIL is an influential DPA and its decisions may set an important example for others to follow.
(Updated: speaking of France, in July 2023 the CNIL fined advertising multinational Criteo for €40M for violations including placing cookies without consent. What makes the decision important is that Criteo was, to some extent, held responsible for the cookies placed by third parties on their own websites. It is early to say whether other regulators will follow the CNIL's example- but if they were to do so, Criteo could become a powerful precedent!)
Last but not least, a few reluctant DPAs will not be able to hold enforcement back. Unlike the GDPR, the ePrivacy Directive leaves no room for forum shopping, because the rules for competence are radically different. DPAs may fine companies for any ePrivacy violation committed within the jurisdiction of their State, no matter where a company is established. So Member States with lacking enforcement are no safe haven for non-compliant companies operating on the European market.
Conclusions
Bottom line: if you use web analytics or marketing cookies on your website, you should stick to the indications in the report and offer a transparent and compliant cookie banner. This means making your cookies easy to reject and will likely result in many users rejecting them. There is no way around that.
Unless, of course, you ditch cookies altogether and get all the information you need, without invading your user’s privacy. That’s our vision: we at Simple Analytics strive to provide our customers with insights without tracking users or collecting personal data at all. If this sounds good to you, feel free to give us a try!
- #1 CJEU C-673/17 Planet49.