The EDPB has published a report on the work of its “Cookie Banner Taskforce” regarding cookie banners. This report is the result of collaboration between several European data protection authorities set up to handle complaints about cookie banners received by the organization NOYB.
The report lists a number of common practices observed on the cookie banners of websites in the European area and expresses their compliance with the various applicable rules (in particular the ePrivacy Directive and the GDPR). It can help those responsible for websites and apps in how they obtain consent (or refusal) from the user to have cookies (and/or other similar technologies) read or placed on their device.
The task force report examines, among other things, the following practices:
- Pre-checked boxes . The task force points out that pre-checked boxes do not constitute valid consent under the GDPR or the ePrivacy Directive, regardless of the level of the banner containing the checkable box.
- Deceptive design . The task force draws attention to several types of deceptive practices regarding banner formatting.
- The legitimate interest . Certain websites rely on legitimate interest and not consent for the further processing of data after placing or reading cookies. The report recalls that the legitimate interest cannot constitute a legal basis for the setting of cookies themselves, and that if the setting or reading of cookies is not in accordance with the ePrivacy Directive, subsequent further processing may not be in accordance with the GDPR.
- Lack of a “reject all” type button on the same level as the “accept all” button . Most data protection authorities, including the DPA, considered this to be a breach and that at the same time the user of a website should have the option to accept or refuse the placement/reading of cookies on their device.
The GBA would like to recall that the scope of the GDPR and of Article 5(3) of the ePrivacy Directive is broad and also covers other types of technologies (such as, among others, the use of “local storage”).
It also emphasizes that the report only contains, in a non-exhaustive manner, examples of serious infringements. It cannot therefore be inferred that every practice not mentioned in the report automatically complies with the applicable rules.