We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



Report on cookie banners – does your banner meet the recommendations?

PrintMailRate-it

​by Paweł Foltman

2 February 2023


The Cookie Banner Taskforce established by the European Data Protection Board (EDPB) issued a report on their findings on 18 January 2023.

The taskforce has been established in response to NOYB's (None Of Your Business) organisation set up by Max Schrems. The organisation is best known for its proceedings before the CJEU, which have invalidated two agreements governing transfers of data between the EU and the US (Safe Harbour and Privacy Shield). The CJEU, in line with its rules, has named its judgments invalidating those agreements after Max Schrems: Schrems I and Schrems II.

NOYB’s mission


NYOB has sent draft complaints regarding the use of cookie banners in breach of the GDPR  to more than 700 organisations in 33 EU countries since March 2021. In Poland, they included TVN SA, TVP SA, Interia and PKO BP. 

Along with the draft complaint, the organisations were requested to modify their cookie banners to comply with EU laws and were given a month to do so. In addition, NOYB has also attached a step-by-step guide on how to change the banners so that they comply with the GDPR.

If the violator did not respond within the month and did not modify the cookie banner on its website, a complaint was filed with the relevant supervisory authority (in Poland it was the PDPO).

According to the NOYB's analysis, most violations included, without limitation:

  • no “Reject all” button,
  • pre-ticked consent box,
  • a link to the settings instead of the “Reject” button,
  • legitimate interests as the basis for processing,
  • deceptive button colours,
  • withdrawal of consent being not as easy as giving it.

Cookie Banner Taskforce – goals


During its plenary meeting in September 2021, the EDPB announced that it “decided to set up a taskforce to coordinate the response to complaints concerning cookie banners filed by NOYB.”
The taskforce aimed to promote cooperation, information sharing and the best practices between supervisory authorities. In particular, it was supposed to:

  • exchange views on legal analysis and possible infringements;
  • provide support to activities on the national level;
  • streamline communication.

Group report – key points


The taskforce published a report on its work on 17 January 2023. According to the disclaimer, the report is not a set of guidelines or recommendations for data controllers, but indicates the minimum scope of analysis that supervisory authorities should carry out when investigating complaints submitted by NOYB.
If we look at the scope of that analysis, we can say with all certainty that it follows the NOYB guidelines. If anyone is still in doubt about how to implement cookie banners and information about cookies, this report may prove helpful.

The taskforce highlighted in particular the following violations related to cookie banners:

1. NO “REJECT” BUTTON ON THE FIRST LAYER.

In this case the majority of supervisory authorities considered that the absence of such a button was not in line with the requirements for a valid consent provided for by the ePrivacy Directive. There were also dissenting opinions, but unfortunately the report did not indicate from which member states. Nonetheless, the supervisory authorities had no doubt that consent to cookies which required consent must be expressed by a positive action on the part of the user.

2. PRE-TICKED CHECKBOXES.

According to the authors of the report, “silence, pre-ticked boxes or inactivity on the part of the user” is not valid consent. This also applies to the unticking of consent (opting out), e.g. the popular choice between “Accept all” and “Settings”.

3. DECEPTIVE LINK DESIGN.

This is when the banner does not contain a “Reject all” button but instead, a link taking the user to the cookie rejection options (direct link to reject or link to a second layer). The taskforce members agreed that a website owner must not design cookie banners in a way that gives users the impression that they have to give a consent to access the website content, nor that clearly pushes the user to give consent. The following two situations were described as examples of such practice:

  • the only alternative action offered (other than granting consent) consists of a link behind wording such as “Refuse” or “Continue without accepting” embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action;
  • the only alternative action offered (other than granting consent) consists of a link behind wording such as “Refuse” or “Continue without accepting” placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.

4. DECEPTIVE COLOURS OF THE BANNERS.

The group did not indicate what colours would be appropriate for specific buttons and whether specific cases required a case-by-case analysis. However, it must at least be checked whether the contrast and colours used are not obviously misleading for the users and do not result in an unintended and, as such, invalid consent from them. As an example, the taskforce quoted a practice where the contrast between the text and the button background was so minimal that the text is unreadable to virtually any user.

5. LEGITIMATE INTERESTS AS BASIS FOR PROCESSING.

The report confirmed that the legal basis for the placement/reading of cookies pursuant to Article 5(3) of ePrivacy Directive cannot be the legitimate interests of the controller.

6. INACCURATELY CLASSIFIED ESSENTIAL COOKIES.

While the assessment of cookies to determine which ones are essential may be problematic, this is the responsibility of the controller. According to the taskforce, the essential/strictly necessary classification is overused.

7. THE CONSENT SHOULD BE AS EASY TO WITHDRAW AS TO GIVE IT.

Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon or a link placed on a visible and standardised place.

The report is not a set of guidelines on which a controller implementing cookie management can rely directly. It is, however, a useful tool and guidance as to how supervisory authorities will interpret particular areas of cookie management, and it suggests a minimum scope of investigation to which a website will be subject if a complaint is lodged. The laws of the Member State concerned and the facts and circumstances of a given case will also be taken into account.

Contact

Contact Person Picture

Paweł Foltman

Attorney at law (Poland)

+48 696 139 865

Send inquiry


Deutschland Weltweit Search Menu