On the 18th of January, the EDPB published the adopted report of the work undertaken by the Cookie Banner Taskforce. The Cookie Banner Taskforce was established in September 2021 in accordance with article 70(1) (u) GDPR to coordinate the response to complaints concerning cookie banners filed with several supervisory authorities by the non-profit organization, NOYB, run by Max Schrems. The aim of this Taskforce was to promote cooperation, information sharing, and best practices between the supervisory authorities.

Legal effects of the report

The positions in the document reflect the common denominator agreed by the different supervisory authorities that made up the Cookie Task Force on their view of the applicable provisions of the ePrivacy Directive and the GDPR. The EDPB points out in their disclaimer that the positions do not constitute stand-alone recommendations or findings to obtain a greenlight from a competent authority. The findings must be read in conjunction with national laws that transposed the ePrivacy Directive. As a result, the positions taken by the Cookie Task Force are not legally binding.

The most important findings of the report

The report comprises nine sections and addresses not only the applicable legal framework and the application of the one-stop-shop mechanism but also eight different violations raised by NOYB in its complaints. We outline below only the most critical positions in the paper.

Type A practice – “No reject button on the first layer” – Paragraph 8

Most supervisory authorities consider it an infringement of the ePrivacy Directive if a cookie banner does not provide both an accept and a refuse/reject/not consent option on any layer. Only a few supervisory authorities held the view that this does not infringe the ePrivacy Directive, as article 5(3) does not explicitly mentions a “reject option”. Ultimately, the vast majority of authorities considered the absence of refuse/reject/not

consent option on any layer to be outside the requirements for valid consent, meaning failure to have such an option is an infringement.

Type B practice – “Pre-ticked boxes” – Paragraph 10

Unsurprisingly, the Taskforce confirms in its report that pre-ticked boxes are neither a valid way to obtain consent under the GDPR nor under article 5(3) of the ePrivacy Directive.

Type C practice – Paragraph 14

The Taskforce members looked into the aspect of deceptive “Link Design” and agreed on two examples (non-exhaustive) that do not lead to valid consent:

  • the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action;
  • the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.

Type D & E practises – “Deceptive button colours” & “deceptive button contrast” – Paragraph 18

While the report acknowledges that the colour scheme of a cookie banner cannot be standardized for all controllers and must be assessed on a case-by-case basis, the practice of offering a reject option in the form of a button with minimal contrast between the text and background is manifestly misleading to users, as the text is unreadable.

Type H practice – “Legitimate interest claimed, list of purposes” – Paragraph 24

Also unsurprisingly, the Taskforce members agreed that where a controller had failed to comply with article 5(3) of the ePrivacy Directive, particularly when valid consent had not been obtained as required, it also resulted in any subsequent processing infringing the GDPR. Simply put, where data is collected unlawfully then all subsequent processing is also unlawful.  

Type I practice – “Inaccurately classified «essential» cookies” – Paragraph 28

The members of the Taskforce discussed the topic of tools that can be used to create a list of cookies used by a website owner, along with the responsibility of them to keep these lists updated, providing them to relevant authorities when requested, and to demonstrating the «essentiality» of the cookies listed.

Type I practice – “Inaccurately classified «essential» cookies” – Paragraph 29

While various tools exist to list cookies used, and despite these tools not providing information about the nature of the cookie, supervisory authorities will use these tools to help them seek information from website operators.

Type I practice – “Inaccurately classified «essential» cookies” – Paragraph 30

Cookies that allow the website owner to remember user preferences (e.g. if consent was obtained) for a service should be considered essential cookies.

Type K practice – “No withdraw icon” – Paragraph 32

Website owners should provide easily accessible solutions, such as a small, permanently visible icon or a link in a standard location, that allow users to withdraw their consent at any time.

Type K practice – “No withdraw icon” – Paragraph 35

Website owners should implement and display easily accessible solutions once consent has been obtained. However, they cannot be required to use a specific solution for withdrawing consent (e.g. hovering solution). Each case must be individually evaluated to ensure that withdrawing consent is as easy as giving it.

Practical Takeaways

Website operators should review their cookie banners to ensure there is nothing misleading and that consent is as easy for users to give as it is for them to reject.  The report confirms that any unlawful collection of data results in all subsequent processing being unlawful.  Use of various cookie banner designs could be deemed misleading by ‘pointing’ users to accept cookies.

There is still some flexibility for organisations in how to design a cookie banner, since the report points out on multiple occasions that banners and cookie collection will be evaluated on a case-by-case basis.  As the international requirements for cookies vary and it can be challenging to maintain a good overview, we are happy to support you with our Cookie Comparison chart with guidance across key territories including the UK, Germany, France, Belgium, Ireland, Greece, Singapore, China and the US.