Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Dissecting the EDPB's cookie banner report

On 17 January 2023, the European Data Protection Board ('EDPB') published a report of the work undertaken by the Cookie Banner Taskforce1. The taskforce was initially formed to handle the complaints received from None of your business ('NOYB')2 and consists of expert representatives of the European data protection authorities ('DPAs').

Dr Carlo Piltz and Philip Schweers, from Piltz Legal, unpack the key requirements regarding the use of cookies and cookie banners laid out in the report, the possible scope for their design, and the interplay between the report's and national requirements.

Salman Alfa / Essentials collection / istockphoto.com

Background

The report includes the aligned positions of the European DPAs on the application of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') (or national implementations, e.g. in Germany, the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG'), or in France, Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR)). This is particularly relevant since there is no one-stop-shop mechanism in the scope of the ePrivacy Directive, which means that supervisory authorities are, to an extent, not obligated to coordinate within Europe for cross-border or EU-wide relevant processing operations.

The EDPB's clarification regarding the applicable legal framework is of significant practical relevance. In its report, the taskforce notes that there is a relatively strict distinction between the scope of the ePrivacy Directive (more precisely of the national law transposing it) and the scope of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For the placement of or reading the cookies, the common position of the delegations is that the national law implementing the ePrivacy requirements is the only applicable legal framework. For any subsequent processing, however, the GDPR applies. Moreover, it applies in full, covering not only the data subjects' rights, which are neither regulated nor mentioned in the ePrivacy Directive, but also to the consent requirements, if consent constitutes the legal basis for subsequent processing.

In the report, the EDPB once again underlines that the relationship between the national provisions implementing the ePrivacy requirements and the GDPR is of lex specialis vs. lex generalis nature, but only to the extent that the ePrivacy provisions apply (i.e. for storing or gaining access to information stored in the user's terminal equipment), a position which can be also found in another EDPB document, namely Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities3.

In this respect, the report represents an important resource as it is one of the few times that the European DPAs have made a consistent public statement regarding the use of cookies and cookie banners. Additionally, and this might be even more interesting, the report also reveals the extent to which DPAs are open to different design options.

The strict Dos and Don'ts

The representatives of the European DPAs were able to reach an agreement within the taskforce regarding some minimum requirements. To provide a quick overview, we have summarised these requirements below.

When using cookies and requesting consent using a cookie banner, controllers shall at least:

  • include a clear indication on what the banner is about, on the purposes of consent, and on how to consent to cookies;
  • provide a reject button/option so that users can decline consent; and
  • provide an easily accessible solution to withdraw consent.

According to the report, controllers shall not:

  • use pre-ticked boxes on the second layer of the banner to obtain consent;
  • hide the reject button/option within the paragraph of the text of the cookie banner without further visual support;
  • hide the reject button/option outside the cookie banner;
  • use contrast to make the reject button/option unreadable against the background; or
  • claim legitimate interest as a legal basis under the GDPR when consent is required due to the requirements of the ePrivacy Directive.

Possible scope for design

In addition to these strict requirements, the EDPB deliberately did not give any specifications regarding other aspects.

First of all, the EDPB did not specify how exactly the reject button/option must be designed. The report only mentions that the button shall not be hidden. Conversely, this means that the rejection option may be embedded in a continuous text if it is particularly emphasised and stands out from the rest of the text (e.g. by bold print or a colour highlighting). This also means that not all DPAs believe that the option to reject needs to be an equivalent alternative to the accept button (e. g. same size and colour).

The EDPB does also not define what deceptive button colours are. The report states 'that a general banner standard concerning colour and/or contrast cannot be imposed on data controllers' - meaning that a DPA has to claim the deceptiveness of the banner on a case-by-case basis. The fact that the expert representatives were only able to agree on only one negative example (i.e. using contrast to make the reject button unreadable against the background) suggests that it might be very difficult to objectively evaluate the deceptiveness of a colouring scheme.

The report reveals that most DPAs have difficulties determining which cookies are being used and for what purposes. In this respect, they appear to be at least partially dependent on the support of the controllers. The DPAs also do not define what essential cookies are and only refer to an older opinion of the Article 29 Data Protection Working Party (the predecessor of the EDPB), namely Opinion 04/2012 on Cookie Consent Exemption4. Based on this, we assume that there is no agreement among the DPAs on the definition of essential. It is therefore possible that the use of essential cookies without consent may be more flexible than one would expect.

Last, the DPAs do not require controllers to use a specific withdrawal option. There seems to be no need to use a small hovering and permanently visible icon to enable user to withdraw consent. A link within the footer of the website might already be sufficient.

Compliance with national requirements

Even though the EDPB might not define certain criteria, a national DPA might. The report explicitly states that further clarifications and guidance provided by the national competent authorities (which are also responsible for the enforcement) are still fully applicable. Consequently, the German authorities might require an equivalent reject button, no matter what the report states, even though the National Commission for Data Protection ('CNPD') in Luxembourg might not.

We therefore strongly advise controllers to keep an eye on national requirements and guidelines issued by the local authorities.

Dr Carlo Piltz Partner
[email protected]
Philip Schweers Senior Associate
[email protected]
Piltz Legal, Berlin


1. Available at: https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en
2. See at: https://noyb.eu/en/101-complaints-eu-us-transfers-filed
3. Available at: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-52019-interplay-between-eprivacy_en
4. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Feedback