Mar 22 2023

Draft Report on the Implementation of Cookies

The European Data Protection Board (EDPB), specifically the Cookie Banner Taskforce, one of the EDPB’s Working Groups, published on 17 January a draft report on banner implementation practices and Cookie settings.

The opinions published in this document are the result of the coordination of the members of the aforementioned Taskforce to respond to the more than 700 complaints addressed to the different European Supervisory Authorities about the deficiency and lack of uniform criteria for the implementation of Cookie Banners, received by NOYB, a non-profit organisation that acts under the motto ”My Privacy is None of Your Business” and promoted by Max Schrems.

However, the opinions issued are limited to a minimal assessment of the correct implementation of the cookie banner and other related practices. The European Data Protection Board itself warns of this, indicating that the provisions of the publication do not constitute definitive conclusions but are merely a Draft Report, or draft, and that the final analysis will have to be carried out by the different European supervisory authorities and in any case, in accordance with the national regulations transposing the different European Directives on privacy and electronic communications.

What are the main considerations to bear in mind about Cookies?

Reject Button on the First Layer

The EDPB has concluded that it is necessary to include a button or option on the first layer, so that the User can explicitly reject all cookies, except those that are technical or necessary.

Design Defect to Reject Cookies

Another of the practices that the Working Group has included in this first Draft Report is the practice of configuring the rejection of cookies via a link instead of a button on the first layer. This type of configuration makes it difficult for the user to see this option and therefore to exercise their free, express and unequivocal consent.

Pre-Ticked Boxes

With regard to the setting or customisation of Cookies, it has been found that many European websites are configured in such a way that the preference of cookies is pre-selected. The opinion expressed by the Working Group is that Cookies cannot be pre-set or pre-selected, except for cookies that do not require your consent, i.e. technical cookies. Therefore pre-checked or pre-selected boxes will be considered as non-explicit consent and therefore invalid.

Deceptive Button Colours & “Deceptive Button Contrast”

Likewise, the Working Group goes on to analyse the design of the cookies banner, criticising the selection of colours or contrast between the buttons to accept, configure or reject cookies that highlight the button ACCEPT to the User. The Working Group has issued a favourable opinion to question the validity of the Cookie Banner when the design has been implemented in a misleading way for the acceptance of Users.

Inaccurately Classified Essential Cookies

The EDPB has been able to analyse how data controllers have classified as ‘necessary’ or ‘strictly necessary’ some cookies whose purpose is far from the purpose of essential or necessary cookies under Article 5(3) of the ePrivacy Directive. In this regard, Opinion 4/2012 on the cookie consent exemption has already ruled on the correct identification of necessary cookies, in particular the fact that cookies that allow the website to save user preferences about the service offered on the website can be considered necessary cookies..

In our opinion, the European Data Protection Board limits itself to issuing a vague opinion on basic issues but does not pronounce itself on more complex issues that have been requested by the sector, including defining a final list of Cookies that are considered necessary or essential, and therefore do not require obtaining the User’s consent; as well as specifying and determining what is considered a visible place to withdraw consent.

Cookies are not a trivial matter, as even the major operators are still not clear on the issue, as evidenced by the recent sanction imposed by the French Data Protection Control Authority (”CNIL”) on TikTok at the beginning of 2023 for failing to adequately obtain consent for cookies from French users.

It remains to be seen whether in the final version of the Report the European Data Protection Board’s working group will finally pronounce itself on a wider range of issues in order to provide clear and uniform guidelines for European websites, thus ensuring greater legal certainty.