On
January
18,
2023,
the
European
Data
Protection
Board
(“EDPB”)
published
its
Report
on
the
work
undertaken
by
the
Cookie
Banner
Taskforce
(the
“Report”).
The
positions
reflected
in
the
Report
result
from
the
coordinated
response
of
EU
data
protection
authorities
(“DPAs”)
to
the
complaints
filed
by
the
non-governmental
organization
co-founded
by
privacy
activist
Max
Schrems,
None
of
Your
Business
(“NOYB”),
that
related
to
the
requirements
of
cookie
banners
in
the
EU.
Key
Takeaways
from
the
Report
The
Report
addresses
and
presents
the
EDPB’s
position
on
a
number
of
practices
that
have
been
under
the
radar
of
EU
DPAs.
Key
takeaways
from
the
Report
include:
-
The
EDPB
recalls
that
the
one-stop-shop
mechanism
introduced
by
the
EU
General
Data
Protection
Regulation
(“GDPR”)
does
not
apply
to
cookie-related
issues,
as
cookie
rules
are
set
forth
under
the
ePrivacy
Directive. -
The
use
of
pre-ticked
boxes
to
opt-in
to
the
use
of
cookies
does
not
lead
to
valid
consent. -
Deceptive
“link
design”
practices
that
only
contain
a
link
to
reject
the
use
of
cookies
and
practices
giving
users
the
impression
that
they
have
to
consent
to
access
the
website
or
that
clearly
push
users
to
give
consent
are
prohibited. -
Deceptive
practices
that
consist
in
using
different
button
colors
and
contrast
with
a
view
to
highlight
the
“accept
all”
button
over
the
available
options
are
prohibited.
While
the
validity
of
a
design
should
be
assessed
on
a
case-by-case
basis,
all
buttons
should
ideally
use
the
same
size,
color,
font
and
contrast
so
as
to
ensure
that
consent
is
freely
given. -
A
vast
majority
of
EU
DPAs
consider
that
a
“reject
all”
button
must
be
included
on
the
first
layer
of
the
cookie
banner
so
as
to
ensure
that
the
use
of
cookies
is
as
easy
to
accept
as
it
is
to
refuse
and
that
consent
is
in
line
with
GDPR
consent
requirements.
In
this
respect,
the
EDPB
indicates
that
only
a
few
DPAs
consider
that
they
cannot
retain
an
infringement
in
this
case
as
it
is
not
an
explicit
requirement
of
the
ePrivacy
Directive. -
Claiming
reliance
on
the
“legitimate
interests”
legal
basis
for
the
use
of
non-essential
cookies
(e.g.,
targeted
advertising
cookies)
and
not
collecting
valid
consent
for
the
use
of
such
cookies
is
prohibited.
The
EDPB
also
clarified
that
non-compliance
with
the
rules
on
the
use
of
cookies
will
result
in
non-compliance
of
any
subsequent
processing
of
personal
data
collected
through
cookies. -
Website
owners
should
put
in
place
easily
accessible
solutions
allowing
users
to
withdraw
their
consent
at
any
time,
such
as
through
the
use
of
a
small
hovering
and
permanently
visible
icon,
or
a
link
placed
on
a
visible
and
standardized
place. -
Inadequately
categorizing
cookies
that
serve
purposes
which
would
not
be
considered
as
“strictly
necessary”
under
the
“strictly
necessary”
cookie
bucket
is
prohibited.
The
taskforce
however
recognized
the
practical
difficulty
of
classifying
cookies
used
on
a
website,
particularly
as
cookie
features
change
regularly.
Next
Steps
The
EDPB
clarified
that
the
positions
laid
down
in
the
Report
reflect
“a
minimum
threshold”
in
implementing
cookie
rules
in
the
EU
and
“do
not
constitute
stand-alone
recommendations
or
findings
to
obtain
a
greenlight
from
a
competent
authority.”
This
means
that
the
Report
is
independent
from
the
decisions
that
have
been
or
will
be
taken
in
relation
to
NOYB’s
complaints.
The
content
of
the
Report
is
however
expected
to
inform
or
influence
DPAs’
decisions
about
cookies
in
the
future.
Read
the
Report.