Report on cookie banners – does your banner meet the recommendations?

The taskforce has been established in response to NOYB's (None Of Your Business) organisation set up by Max Schrems. The organisation is best known for its proceedings before the CJEU, which have invalidated two agreements governing transfers of data between the EU and the US (Safe Harbour and Privacy Shield). The CJEU, in line with its rules, has named its judgments invalidating those agreements after Max Schrems: Schrems I and Schrems II.

NYOB has sent draft complaints regarding the use of cookie banners in breach of the GDPR  to more than 700 organisations in 33 EU countries since March 2021. In Poland, they included TVN SA, TVP SA, Interia and PKO BP. 

Along with the draft complaint, the organisations were requested to modify their cookie banners to comply with EU laws and were given a month to do so. In addition, NOYB has also attached a step-by-step guide on how to change the banners so that they comply with the GDPR.

If the violator did not respond within the month and did not modify the cookie banner on its website, a complaint was filed with the relevant supervisory authority (in Poland it was the PDPO).

According to the NOYB's analysis, most violations included, without limitation:

During its plenary meeting in September 2021, the EDPB announced that it “decided to set up a taskforce to coordinate the response to complaints concerning cookie banners filed by NOYB.”

The taskforce aimed to promote cooperation, information sharing and the best practices between supervisory authorities. In particular, it was supposed to:

The taskforce published a report on its work on 17 January 2023. According to the disclaimer, the report is not a set of guidelines or recommendations for data controllers, but indicates the minimum scope of analysis that supervisory authorities should carry out when investigating complaints submitted by NOYB.

If we look at the scope of that analysis, we can say with all certainty that it follows the NOYB guidelines. If anyone is still in doubt about how to implement cookie banners and information about cookies, this report may prove helpful.

The taskforce highlighted in particular the following violations related to cookie banners:

1. NO “REJECT” BUTTON ON THE FIRST LAYER.

In this case the majority of supervisory authorities considered that the absence of such a button was not in line with the requirements for a valid consent provided for by the ePrivacy Directive. There were also dissenting opinions, but unfortunately the report did not indicate from which member states. Nonetheless, the supervisory authorities had no doubt that consent to cookies which required consent must be expressed by a positive action on the part of the user.

2. PRE-TICKED CHECKBOXES.

According to the authors of the report, “silence, pre-ticked boxes or inactivity on the part of the user” is not valid consent. This also applies to the unticking of consent (opting out), e.g. the popular choice between “Accept all” and “Settings”.

3. DECEPTIVE LINK DESIGN.

This is when the banner does not contain a “Reject all” button but instead, a link taking the user to the cookie rejection options (direct link to reject or link to a second layer). The taskforce members agreed that a website owner must not design cookie banners in a way that gives users the impression that they have to give a consent to access the website content, nor that clearly pushes the user to give consent. The following two situations were described as examples of such practice:

4. DECEPTIVE COLOURS OF THE BANNERS.

The group did not indicate what colours would be appropriate for specific buttons and whether specific cases required a case-by-case analysis. However, it must at least be checked whether the contrast and colours used are not obviously misleading for the users and do not result in an unintended and, as such, invalid consent from them. As an example, the taskforce quoted a practice where the contrast between the text and the button background was so minimal that the text is unreadable to virtually any user.

5. LEGITIMATE INTERESTS AS BASIS FOR PROCESSING.

The report confirmed that the legal basis for the placement/reading of cookies pursuant to Article 5(3) of ePrivacy Directive cannot be the legitimate interests of the controller.

6. INACCURATELY CLASSIFIED ESSENTIAL COOKIES.

While the assessment of cookies to determine which ones are essential may be problematic, this is the responsibility of the controller. According to the taskforce, the essential/strictly necessary classification is overused.

7. THE CONSENT SHOULD BE AS EASY TO WITHDRAW AS TO GIVE IT.

Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon or a link placed on a visible and standardised place.

The report is not a set of guidelines on which a controller implementing cookie management can rely directly. It is, however, a useful tool and guidance as to how supervisory authorities will interpret particular areas of cookie management, and it suggests a minimum scope of investigation to which a website will be subject if a complaint is lodged. The laws of the Member State concerned and the facts and circumstances of a given case will also be taken into account.