EDPB Publishes Report of Outcome of the Cookie Banner Taskforce

Posted
on

January
27,
2023


Listen
to
this
post

On
January
18,
2023,
the
European
Data
Protection
Board
(“EDPB”)
published
its

EDPB Publishes Report of Outcome of the Cookie Banner Taskforce



Listen
to
this
post

On
January
18,
2023,
the
European
Data
Protection
Board
(“EDPB”)
published
its
Report
on
the
work
undertaken
by
the
Cookie
Banner
Taskforce
(the
“Report”).

The
positions
reflected
in
the
Report
result
from
the
coordinated
response
of
EU
data
protection
authorities
(“DPAs”)
to
the
complaints
filed
by
the
non-governmental
organization
co-founded
by
privacy
activist
Max
Schrems,
None
of
Your
Business
(“NOYB”),
that
related
to
the
requirements
of
cookie
banners
in
the
EU.


Key
Takeaways
from
the
Report

The
Report
addresses
and
presents
the
EDPB’s
position
on
a
number
of
practices
that
have
been
under
the
radar
of
EU
DPAs.
Key
takeaways
from
the
Report
include:

  • The
    EDPB
    recalls
    that
    the
    one-stop-shop
    mechanism
    introduced
    by
    the
    EU
    General
    Data
    Protection
    Regulation
    (“GDPR”)
    does
    not
    apply
    to
    cookie-related
    issues,
    as
    cookie
    rules
    are
    set
    forth
    under
    the
    ePrivacy
    Directive.
  • The
    use
    of
    pre-ticked
    boxes
    to
    opt-in
    to
    the
    use
    of
    cookies
    does
    not
    lead
    to
    valid
    consent.
  • Deceptive
    “link
    design”
    practices
    that
    only
    contain
    a
    link
    to
    reject
    the
    use
    of
    cookies
    and
    practices
    giving
    users
    the
    impression
    that
    they
    have
    to
    consent
    to
    access
    the
    website
    or
    that
    clearly
    push
    users
    to
    give
    consent
    are
    prohibited.
  • Deceptive
    practices
    that
    consist
    in
    using
    different
    button
    colors
    and
    contrast
    with
    a
    view
    to
    highlight
    the
    “accept
    all”
    button
    over
    the
    available
    options
    are
    prohibited.
    While
    the
    validity
    of
    a
    design
    should
    be
    assessed
    on
    a
    case-by-case
    basis,
    all
    buttons
    should
    ideally
    use
    the
    same
    size,
    color,
    font
    and
    contrast
    so
    as
    to
    ensure
    that
    consent
    is
    freely
    given.
  • A
    vast
    majority
    of
    EU
    DPAs
    consider
    that
    a
    “reject
    all”
    button
    must
    be
    included
    on
    the
    first
    layer
    of
    the
    cookie
    banner
    so
    as
    to
    ensure
    that
    the
    use
    of
    cookies
    is
    as
    easy
    to
    accept
    as
    it
    is
    to
    refuse
    and
    that
    consent
    is
    in
    line
    with
    GDPR
    consent
    requirements.
    In
    this
    respect,
    the
    EDPB
    indicates
    that
    only
    a
    few
    DPAs
    consider
    that
    they
    cannot
    retain
    an
    infringement
    in
    this
    case
    as
    it
    is
    not
    an
    explicit
    requirement
    of
    the
    ePrivacy
    Directive.
  • Claiming
    reliance
    on
    the
    “legitimate
    interests”
    legal
    basis
    for
    the
    use
    of
    non-essential
    cookies
    (e.g.,
    targeted
    advertising
    cookies)
    and
    not
    collecting
    valid
    consent
    for
    the
    use
    of
    such
    cookies
    is
    prohibited.
    The
    EDPB
    also
    clarified
    that
    non-compliance
    with
    the
    rules
    on
    the
    use
    of
    cookies
    will
    result
    in
    non-compliance
    of
    any
    subsequent
    processing
    of
    personal
    data
    collected
    through
    cookies.
  • Website
    owners
    should
    put
    in
    place
    easily
    accessible
    solutions
    allowing
    users
    to
    withdraw
    their
    consent
    at
    any
    time,
    such
    as
    through
    the
    use
    of
    a
    small
    hovering
    and
    permanently
    visible
    icon,
    or
    a
    link
    placed
    on
    a
    visible
    and
    standardized
    place.
  • Inadequately
    categorizing
    cookies
    that
    serve
    purposes
    which
    would
    not
    be
    considered
    as
    “strictly
    necessary”
    under
    the
    “strictly
    necessary”
    cookie
    bucket
    is
    prohibited.
    The
    taskforce
    however
    recognized
    the
    practical
    difficulty
    of
    classifying
    cookies
    used
    on
    a
    website,
    particularly
    as
    cookie
    features
    change
    regularly.


Next
Steps

The
EDPB
clarified
that
the
positions
laid
down
in
the
Report
reflect

“a
minimum
threshold”

in
implementing
cookie
rules
in
the
EU
and

“do
not
constitute
stand-alone
recommendations
or
findings
to
obtain
a
greenlight
from
a
competent
authority.”

This
means
that
the
Report
is
independent
from
the
decisions
that
have
been
or
will
be
taken
in
relation
to
NOYB’s
complaints.
The
content
of
the
Report
is
however
expected
to
inform
or
influence
DPAs’
decisions
about
cookies
in
the
future.

Read
the

Report
.

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.