Cookie Banner Best Practices
EDPB Cookie Banner Taskforce Report: Key insights
April 5 2023
Why a Taskforce?
The European Data Protection Board (EDPB) created this Taskforce to support NOYB (European Center for Digital Rights – a non-profit organisation) as a result of various complaints filed with several EU Supervisory Authorities about cookie banners. The report and adopted harmonisation elements will guide Authorities in the analysis and handling of the received complaints, with the aim of implementing minimum requirements for cookie banners.
Applicable legal framework
What cookie banner practices to avoid?
We have summarised the most important points of the report below:
1. No reject button on the first layer
Nevertheless, the Taskforce recalled that, by default, no cookies can be used without consent, which requires a positive action by the user. The only exception is for “strictly necessary” cookies, as explained below.
2. Pre-ticked boxes
Not surprisingly, the Taskforce pointed out that the pre-ticked boxes when setting user preferences on the second layer of the cookie banner do not meet the criteria for valid consent.
Contrary to other types of cookies, strictly necessary cookies do not require user consent. We therefore consider that having pre-ticked boxes only for these types of cookies does not constitute an infringement.
3. Deceptive Link Design
4. Deceptive button colours and deceptive button contrast
Some Controllers setup their banner to highlight the “Accept” button, by means of specific colours or contrasts.
The Taskforce members agreed that a general banner standard in terms of contrast and colour cannot be imposed on all websites. It is therefore necessary to analyse individual banners on a case-by-case basis to ensure that the design does not deliberately mislead users, which would result in an invalid consent. This would be the case, for instance, when the contrast between the text and the background of the “Refuse” button is so minimal that the text becomes unreadable.
Although MyData-Trust understands that it is not possible to impose such a standard, we strongly recommend placing two buttons on the first layer, “Accept” and “Refuse”, that are the same colour, contrast and font. Indeed, this appears to offer the most protection for users so that they are not influenced by the design of the banners.
5. Legitimate interest claimed
Some cookie banners, especially in the second layer, contain references to the legitimate interest of Controllers.
So far, the Taskforce members highlighted two significant considerations:
- Subsequent processing cannot be considered compliant with the GDPR, even if it can be justified by the legitimate interest of the Controller, if there is no valid consent for the placement of cookies.
6. Inaccurately classified “essential” cookies
“Essential” or “strictly necessary” cookies are exempt from requiring consent. However, it has been observed that some Controllers misclassify their cookies as strictly necessary when they have other purposes.
Considering this, the Taskforce members agreed that determining a stable and reliable list of essential cookies is difficult to achieve, in particular due to regular changes to cookie features.
It is therefore the responsibility of Controllers to document and be able to prove that cookies classified as essential are indeed essential.
The report also refers to Opinion n°04/2012 on Cookie Consent Exemption of WP 29 to help Controllers to assess which cookies can be considered essential.
7. No withdraw icon
The Taskforce members agreed that the solution of a permanent icon cannot be imposed on all Controllers. It is therefore necessary to analyse websites on a case-by-case basis to make sure that Controllers offer easy ways to withdraw consent, such as a link placed in a visible and standardised place.
Final key takeaways
This report does not introduce any new requirements, but generally provides a common framework to be implemented.
The ePrivacy Directive is still applicable and has been transposed in each Member State, which may lead to discrepancies. In this context, some Supervisory Authorities have already gone further in terms of requirements in their guidelines.
MyData-Trust welcomes this initiative but hopes for a greater harmonisation between the different countries in the coming years.