ARTICLE
27 January 2023

European Data Protection Board Issues Guidance On The Use Of Cookies

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore
AEuropean Data Protection Board (EDPB) task force has issued guidance regarding the use of cookies, particularly cookie consent banners. Even though the guidance doesn't have the force...
European Union Privacy
Photo of Steven M. Millendorf
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

1275680a.jpg

AEuropean Data Protection Board (EDPB) task force has issued guidance regarding the use of cookies, particularly cookie consent banners. Even though the guidance doesn't have the force of law, companies should consider the guidance to be influential on European regulators when considering enforcement actions.

First, the EDPB pointed out that the placement of cookies is regulated by the ePrivacy Directive, however, the actual reading and use of the information in the cookies falls under the purview of the GDPR.

Next, the task force pointed out the following practices related to the use of cookie consent banners:

  • No single "reject" button. A majority of the task force considered the absence of a single refuse/reject/no consent button along side an "accept all" button as not in line with the requirements for valid consent and therefore an infringement.
  • Pre-ticked boxes. Pre-ticked boxes are not considered valid consent under the ePrivacy Directive or the GDPR.
  • Use of links on the cookie consent banner. While the task force members did not reject the use of links on a cookie consent banner that takes the user to another page (as opposed to a button), they did agree that there should be a clear indication of what the banner is about, and the purpose of the consent it is asking for.
  • Deceptive button colors/contrast. The task force objected to the use of "accept all" buttons without a corresponding "reject all," as it may lead to a data subject believing there is no possibility to object to the placement of cookies. The task force members also agreed that, while they are unable to define a standard color/contrast, the contrast and colors used on a cookie consent banner must be analyzed on a case-by-case basis to make sure it is not misleading to data subjects and that "accept all" type buttons are not emphasized over "reject all" and other options.
  • Overuse of "legitimate interests" as a lawful basis for processing. The task force objected to the implication in the second level of some cookie banners that some uses of the cookies were based on legitimate interests, when legitimate interests could not support the uses of the cookie (for example, to "create personalized content profile" or "select personalized ads"). The task force pointed out that the initial placement of the cookies must be in compliance with the ePrivacy Directive (consent required to place all non-essential cookies) and, only if that is satisfied, could legitimate interests be used for the processing of those cookies under the GDPR.
  • Inaccurately classified essential cookies. The task force noted that a number of reviewed websites incorrectly labeled some cookies as "strictly necessary" within the meaning of the ePrivacy Directive. While the task force recognized that correct characterization may bring up some practical difficulties (especially due to changing features of some cookies), the task force recommended that controllers that operate websites should review the WP29 Opinion 04/2012 on Cookie Consent Exemption.
  • No "withdraw" icon. The task force pointed out that three conditions are necessary for consent to be valid under the GDPR and the ePrivacy Directive: (1) the possibility to withdraw consent; (2) the ability to withdraw consent at any time; and (3) withdrawal of consent must be as easy as to give consent. The task force recommended that website owners provide an easily accessible solution for users to withdraw their consent to cookies.

[T]he EDPB adopted a report on the work undertaken by the Cookie Banner Task Force, which was established in September 2021 to coordinate the response to complaints concerning cookie banners filed with several EEA DPAs by NGO NOYB. The Task Force aimed to promote cooperation, information sharing and best practices between the DPAs, which was instrumental in ensuring a consistent approach to cookie banners across the EEA. In the report, the DPAs agreed upon a common denominator in their interpretation of the applicable provisions of the ePrivacy Directive and of the GDPR, on issues such as reject buttons, pre-ticked boxes, banner design, or withdraw icons.

edpb.europa.eu/...

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Steven M. Millendorf
Steven M. Millendorf
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More