Triangular chairs with a gleam of sun rays shining through.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. EDPB’s Cookie Banner Taskforce publishes report on bad cookie practices

SHARE:

EDPB’s Cookie Banner Taskforce publishes report on bad cookie practices

Published on 31 March 2023

The question

What pitfalls should website providers avoid when it comes to obtaining user consent for cookies?

The key takeaway

Cookies must be consented to and such consent must be freely given, informed and by affirmative action. Consent will not be valid if the cookie banner creates the impression that the user has no other choice than to accept (eg by hiding or not including reject options), or if the user was pushed into accepting them by default.

The background

The European Privacy and Electronic Communications Directive 2002/58/EC (e-Privacy Directive) has been transposed into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). PECR sits alongside the existing data protection requirements of the UK GDPR and the Data Protection Act 2018, but applies regardless of whether personal data is processed. PECR specifies certain requirements for electronic communications and user privacy, including the use of cookies.

Cookies are text files which a website provider, or similar online service, can “implant” onto the user’s “terminal equipment” (eg a smartphone, tablet or laptop) when they access the website. This creates a unique ID which can be used to track web browsing patterns and identify a user’s preferences. PECR provides that users must consent to the use of cookies unless they are “strictly necessary” for use of the website. Consent in this context, must be freely given, informed and by a clear statement or action.

In September 2021 the European Data Privacy Board (EDPB), an independent body responsible for the application of EU data protection rules, created the Cookie Banner Taskforce (the Taskforce) after receiving 422 complaints from non-profit organisation NOYB, alleging non-compliance with cookie banner requirements.

The development

On 18 January 2023, the EDPB adopted the Taskforce’s report which condemned the following bad practices with respect to the use of cookies:

  • not providing an option to reject cookies
  • using pre-ticked boxes to consent to cookies
  • hiding the “refuse/continue without accepting” option within a block of text so that it is not easy to identify
  • placing “reject” options outside of the cookie banner
  • using deceptive button colours or contrasts such that any option besides accepting cookies is unreadable to the user (eg the reject button blending into the background of the banner)
  • not including the option to reject cookies at the first level of the banner, leading the user to believe their only option is to accept
  • miscategorising non-essential cookies (eg the cookies used for the purpose of ad personalisation) as “essential” or “strictly necessary” for the use of the website, and
  • not having an easy mechanism by which users can withdraw their consent at any time.

The Taskforce also found that where a data controller failed to obtain valid consent to collect personal data through cookies, the processing of that data would be in breach of the GDPR.

Why is this important?

The flood of complaints from NYOB shows that cookie banner non-compliance very much remains a live issue and the establishment of the Taskforce, directly because of those complaints, means that this topic remains high on the regulatory radar. It goes without saying that the time and cost of getting cookie banners right is minimal compared to the potential sanctions for non-compliance, for which the ICO can impose a fine of up to £500,000.

Any practical tips?

Given the Taskforce’s guidance, it follows that the following are to be recommended:

  • Making sure that any options besides “accept” are visibly clear and accessible to the user.
  • Ensuring that no options are pre-ticked.
  • Having a clear mechanism for users to withdraw their consent to cookies. The Taskforce was hesitant to mandate a particular withdrawal method for all websites, but it suggested the use of a small, permanent icon on each webpage to allow users to review and amend their privacy settings.
  • Regularly assessing whether cookies used on websites are truly “essential” and be prepared to justify the classification. Authorities have access to tools which can list cookies placed on a website, but these tools will not categorise as “essential” or “non-essential”. The Taskforce stated the evolving features of cookies makes it hard to develop a stable list of universally accepted “essential” cookies.

Spring 2023