Following the massive number of draft complaints (over 500) to companies implementing allegedly unlawful cookie banners issued in May 2021 by the non-profit organization NOYB, the EDPB decided to set up a task force composed of delegations of the EU Supervisory Authorities (SAs) to coordinate the response to complaints filed with several European SAs by NOYB.
The task force was established in accordance with Art. 70(1)(u) GDPR with the goal to promote cooperation, information sharing and best practices between the SAs.
In January 2023 the task force published a report of the work undertaken between May 2021 and August 2022 during the thirteen meetings held to coordinate the follow-up to the complaints raised by NOYB.
The complaints of the organization focused on very frequent “bad practices” implemented on the cookie banners restricting the options for the users to select the technologies to be implemented, hence limiting their data protection rights.
In the report, the task force commented on different topics related to the cookie banner compliance, that are the following:
Presence of the “Reject All” option in the first layer of the cookie banner
The majority of the delegations is of the opinion that if a “Reject All” option is not present on any layer with a consent button in the cookie banner, this would not be considered in line with the concept of valid consent, hence the practice of not having both options in the cookie banner where the consent is displayed, would infringe the GDPR. However, it was also noted by some authorities that the e-Privacy Directive does not mention explicitly a “Reject All” option, therefore the infringement is arguable. It has to be reminded as an underlying principle that no cookies requiring consent for their activation on the device can be actually implemented without the valid consent.
It is a well-known practice that some controllers present pre-ticked boxes in the second layer of consent of the cookie banners, when the user can select the categories of cookies/tracking technologies to allow for use. According to the task force, this practice would contradict the GDPR and e-Privacy Directive requirements, specifically in relation to the validity of consent. This is in reference to the GDPR (Recital 32 “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”) and in Article 5(3) of the ePrivacy Directive. If the user does not perform an affirmative action, the consent cannot be considered valid, hence pre-ticked boxes should be avoided.
The task force has reviewed some cases of deceptive design of the cookie banners, especially cases where the option to refuse the cookies are not visible enough (for example they are available at a second layer link) or designs of the cookie banner that are leading the user to believe that only by accepting the optional cookies, the website would be accessible.
According to the task force, those practices are not considered to be valid consent options. The goal of the website controller should be to enable the users in a clear and intuitive form to make a choice on depositing the cookies.
Design and colour for the “Accept All” and “Reject All” buttons
The task force looked at some consent management banners and related processing operations that are relying on the legitimate interest of the controller as a legal basis to process data obtained via cookies/tracking technologies (Art. 6.1 (f) GDPR). The task force observed that some cookie management banners at the first layers offer an “Accept all” option but not a “Reject All” option, furthermore in the second layer (after clicking on “manage settings” option) some operations would be clearly indicated as based on the legitimate interest of the controller. In some cases, those operations would also involve targeted marketing activities such as “create a personalised content profile” or “select personalised ads”. In the first place, those marketing activities would not constitute an overriding legitimate interest of the controller, therefore the placement of cookies and tracking tools relying on this legal basis is not considered to be lawful. The use of such tools shall be therefore performed in line with Art. 5(3) of the ePrivacy Directive, mainly by using a valid consent. Secondly, it was also noted that in the second layer of the cookie banner, the “Reject All” option was not clearly including the possibility to refuse also the processing of tools potentially activated on the basis of the legitimate interest of the controller. In simple words, it is not clear for the users if and how the non-necessary cookies/tracking tools would have to be actively ”refused”. In summary, the processing of the non-necessary cookies or similar technologies seems not to be lawful on the legal basis of the legitimate interest of the controller but should be based on valid consent of the users. However, considering the fast evolution of the subject, the task force remains prepared to further discussions, should a concrete case require a new review.
Inaccurate classification of some cookies as “essential”
The task force has noted that some website controllers include as “essential” or “strictly necessary”, tools that are not actually identifiable as essential. The differentiation between essential and non-essential cookies is nevertheless not always easy to define due to the fact that the features of the cookies often change and the controllers are often not able to maintain consistent lists of such types of cookies. With regard to this point the task force highlighted the importance to maintain clear lists of cookies also by using specific tools available on the market. It seems nevertheless that, although the tools are a valid help to maintain the list of active/inactive cookies, they are not as useful in the identification of the type of cookies especially in the definition of essential/non-essential. It seems also that the responsibility to define the “essentiality” of the cookie relies still on the controller and for this assessment the opinion n°04/2012 on Cookie Consent Exemption of WP 29 is a crucial reference.
Options to withdraw consent
An important point that has been assessed by the task force is related to the requirement to give the possibility to the user to withdraw the consent of the cookies once it has been provided. Options to enable this possibility have already been seen on the websites, such as icons appearing in a fixed position on the webpage or links to make the cookie management banner visible again.
The task force reinforced that although there is no specific requirement on how the opportunity should be provided, website controllers should reply on the principles of (valid) consent (both according to GDPR and ePrivacy Directive), that are:
- the possibility to withdraw consent;
- the ability to withdraw consent at any time; and
- the withdrawal of consent should be as easy as to give consent.
In conclusion, the review of the task force can be considered extremely helpful for a valid set-up of cookies and tracking technologies consent settings for the website controllers thanks to the provision of examples and the final position taken on some practices that were already posing lawfulness doubts. We have also to consider that the topic is in continual development and welcome the availability of the task force and the EDPB to further discuss it in accordance with the new technology evolutions.