Cookie Banner Best Practices

Applicable legal framework
The Taskforce members clarified that the placement and use of cookies is governed by national laws implementing the ePrivacy Directive, while subsequent personal data processing activities are subject to the GDPR.

What cookie banner practices to avoid?
We have summarised the most important points of the report below:

Several cookie banners contain an “Accept” button but no “Refuse” button on the first layer. Not all authorities are aligned on this issue. While some consider that not having a button to refuse cookies on the first layer is non-compliant, others explain that the Directive does not require such a button and consequently cannot conclude that there is an infringement.
Nevertheless, the Taskforce recalled that, by default, no cookies can be used without consent, which requires a positive action by the user. The only exception is for “strictly necessary” cookies, as explained below.
In any event, we (MyData-Trust), strongly recommend having a ” Refuse ” button on the first layer of the cookie banner, so that with one click the user can refuse cookies as well as accept them.

Not surprisingly, the Taskforce pointed out that the pre-ticked boxes when setting user preferences on the second layer of the cookie banner do not meet the criteria for valid consent.
Contrary to other types of cookies, strictly necessary cookies do not require user consent. We therefore consider that having pre-ticked boxes only for these types of cookies does not constitute an infringement.

This notion covers the practice of putting only a link to refuse cookies instead of a button (on the first or on the second layer), while a button is already available to accept cookies.
Taskforce members agreed that banners should clearly inform the user so that they understand what they are consenting to, and that these banners should not give the impression that they are obliged to accept cookies to access the website in any way. This is the case for example when a link to refuse cookies is lost in the text and not clearly apparent to the user.

Some Controllers setup their banner to highlight the “Accept” button, by means of specific colours or contrasts.
The Taskforce members agreed that a general banner standard in terms of contrast and colour cannot be imposed on all websites. It is therefore necessary to analyse individual banners on a case-by-case basis to ensure that the design does not deliberately mislead users, which would result in an invalid consent. This would be the case, for instance, when the contrast between the text and the background of the “Refuse” button is so minimal that the text becomes unreadable.

Some cookie banners, especially in the second layer, contain references to the legitimate interest of Controllers.
So far, the Taskforce members highlighted two significant considerations:

• The placement and use of cookies can only be based on consent – not legitimate interest;
• Subsequent processing cannot be considered compliant with the GDPR, even if it can be justified by the legitimate interest of the Controller, if there is no valid consent for the placement of cookies.

“Essential” or “strictly necessary” cookies are exempt from requiring consent. However, it has been observed that some Controllers misclassify their cookies as strictly necessary when they have other purposes.
Considering this, the Taskforce members agreed that determining a stable and reliable list of essential cookies is difficult to achieve, in particular due to regular changes to cookie features.
It is therefore the responsibility of Controllers to document and be able to prove that cookies classified as essential are indeed essential.
The report also refers to Opinion n°04/2012 on Cookie Consent Exemption of WP 29 to help Controllers to assess which cookies can be considered essential.

Withdrawing consent for the use of cookies should be possible at any time and should be as easy as giving consent. Different possibilities can be provided to users, such as placing a permanent icon on the website to make the cookie banner reappear in order to modify the settings and preferences of the user.
The Taskforce members agreed that the solution of a permanent icon cannot be imposed on all Controllers. It is therefore necessary to analyse websites on a case-by-case basis to make sure that Controllers offer easy ways to withdraw consent, such as a link placed in a visible and standardised place.

This report does not introduce any new requirements, but generally provides a common framework to be implemented.
The ePrivacy Directive is still applicable and has been transposed in each Member State, which may lead to discrepancies. In this context, some Supervisory Authorities have already gone further in terms of requirements in their guidelines.
MyData-Trust welcomes this initiative but hopes for a greater harmonisation between the different countries in the coming years.

In the future, MyData-TRUST expects that this topic will be further developed and not only limited to cookie banners. Equally, this can include the concrete use of cookies and other tracking technologies, which seem to be frequently forgotten by Controllers when they inform users about their different practices.