Following the massive number of draft complaints (over 500) to companies implementing allegedly unlawful cookie banners issued in May 2021 by the non-profit organization NOYB, the EDPB decided to set up a task force composed of delegations of the EU Supervisory Authorities (SAs) to coordinate the response to complaints filed with several European SAs by NOYB.
The task force was established in accordance with Art. 70(1)(u) GDPR with the goal to promote cooperation, information sharing and best practices between the SAs.
In January 2023 the task force published a report of the work undertaken between May 2021 and August 2022 during the thirteen meetings held to coordinate the follow-up to the complaints raised by NOYB.
The complaints of the organization focused on very frequent “bad practices” implemented on the cookie banners restricting the options for the users to select the technologies to be implemented, hence limiting their data protection rights.
Concerning the legal background applicable to the situations reviewed, the task force reinforced that in relation to the placement of cookies (before-activation phase), the applicable framework is only the national law transposing the ePrivacy Directive. In the second phase of the placement of the cookies (after the storage and the access to personal data via the use of cookies/tracking tools) and in relation to the legal basis to be applied (mostly consent and validity of it), the GDPR would be the appropriate legislative reference that applies.
In the report, the task force commented on different topics related to the cookie banner compliance, that are the following:
Presence of the “Reject All” option in the first layer of the cookie banner
The majority of the delegations is of the opinion that if a “Reject All” option is not present on any layer with a consent button in the cookie banner, this would not be considered in line with the concept of valid consent, hence the practice of not having both options in the cookie banner where the consent is displayed, would infringe the GDPR. However, it was also noted by some authorities that the e-Privacy Directive does not mention explicitly a “Reject All” option, therefore the infringement is arguable. It has to be reminded as an underlying principle that no cookies requiring consent for their activation on the device can be actually implemented without the valid consent.
Pre-ticked boxes
It is a well-known practice that some controllers present pre-ticked boxes in the second layer of consent of the cookie banners, when the user can select the categories of cookies/tracking technologies to allow for use. According to the task force, this practice would contradict the GDPR and e-Privacy Directive requirements, specifically in relation to the validity of consent. This is in reference to the GDPR (Recital 32 “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”) and in Article 5(3) of the ePrivacy Directive. If the user does not perform an affirmative action, the consent cannot be considered valid, hence pre-ticked boxes should be avoided.
Deceptive links
The task force has reviewed some cases of deceptive design of the cookie banners, especially cases where the option to refuse the cookies are not visible enough (for example they are available at a second layer link) or designs of the cookie banner that are leading the user to believe that only by accepting the optional cookies, the website would be accessible.
According to the task force, those practices are not considered to be valid consent options. The goal of the website controller should be to enable the users in a clear and intuitive form to make a choice on depositing the cookies.
Design and colour for the “Accept All” and “Reject All” buttons
Different design styles can be used to create visual button options for refusing or accepting cookies in the first layer of the cookie management banner. Whereas normally the visibility of those options should be equal and not lead to “driven” choices, the task force stated that in order to assess the validity of the options that are presented with a different design, a case-to-case analysis would be more appropriate than a generic assessment of the situation. In some cases authorities have already expressed doubts about the different design of the two options on the first layer of the cookie banner (for example the French SA recommends that a controller must offer users the possibility to both accept and refuse cookies and those options should be presented with the same degree of simplicity). In the report, the task force reinforced the concept that the choice offered should not be misleading for the user, for example a “Reject All” option that is clearly unreadable for the users as an alternative to the “Accept All” option that is clear and well-marked would definitely impinge on the validity of the consent.
Legitimate interest for the use of cookies/tracking technologies
The task force looked at some consent management banners and related processing operations that are relying on the legitimate interest of the controller as a legal basis to process data obtained via cookies/tracking technologies (Art. 6.1 (f) GDPR). The task force observed that some cookie management banners at the first layers offer an “Accept all” option but not a “Reject All” option, furthermore in the second layer (after clicking on “manage settings” option) some operations would be clearly indicated as based on the legitimate interest of the controller. In some cases, those operations would also involve targeted marketing activities such as “create a personalised content profile” or “select personalised ads”. In the first place, those marketing activities would not constitute an overriding legitimate interest of the controller, therefore the placement of cookies and tracking tools relying on this legal basis is not considered to be lawful. The use of such tools shall be therefore performed in line with Art. 5(3) of the ePrivacy Directive, mainly by using a valid consent. Secondly, it was also noted that in the second layer of the cookie banner, the “Reject All” option was not clearly including the possibility to refuse also the processing of tools potentially activated on the basis of the legitimate interest of the controller. In simple words, it is not clear for the users if and how the non-necessary cookies/tracking tools would have to be actively ”refused”. In summary, the processing of the non-necessary cookies or similar technologies seems not to be lawful on the legal basis of the legitimate interest of the controller but should be based on valid consent of the users. However, considering the fast evolution of the subject, the task force remains prepared to further discussions, should a concrete case require a new review.
Inaccurate classification of some cookies as “essential”
The task force has noted that some website controllers include as “essential” or “strictly necessary”, tools that are not actually identifiable as essential. The differentiation between essential and non-essential cookies is nevertheless not always easy to define due to the fact that the features of the cookies often change and the controllers are often not able to maintain consistent lists of such types of cookies. With regard to this point the task force highlighted the importance to maintain clear lists of cookies also by using specific tools available on the market. It seems nevertheless that, although the tools are a valid help to maintain the list of active/inactive cookies, they are not as useful in the identification of the type of cookies especially in the definition of essential/non-essential. It seems also that the responsibility to define the “essentiality” of the cookie relies still on the controller and for this assessment the opinion n°04/2012 on Cookie Consent Exemption of WP 29 is a crucial reference.
Options to withdraw consent
An important point that has been assessed by the task force is related to the requirement to give the possibility to the user to withdraw the consent of the cookies once it has been provided. Options to enable this possibility have already been seen on the websites, such as icons appearing in a fixed position on the webpage or links to make the cookie management banner visible again.
The task force reinforced that although there is no specific requirement on how the opportunity should be provided, website controllers should reply on the principles of (valid) consent (both according to GDPR and ePrivacy Directive), that are:
- the possibility to withdraw consent;
- the ability to withdraw consent at any time; and
- the withdrawal of consent should be as easy as to give consent.
In conclusion, the review of the task force can be considered extremely helpful for a valid set-up of cookies and tracking technologies consent settings for the website controllers thanks to the provision of examples and the final position taken on some practices that were already posing lawfulness doubts. We have also to consider that the topic is in continual development and welcome the availability of the task force and the EDPB to further discuss it in accordance with the new technology evolutions.