Cookies have been at the center of data protection discussions for a long time, but recently the focus on the implementation of cookies has increased significantly. This blog post provides some insight into the most recent changes with regard to data protection authorities’ opinion on the implementation of cookie banners since the European Data Protection Board’s Cookie Banner Taskforce report.
Background
In January the European Data Protection Board (EDPB) issued its report drafted by the Cookie Banner Taskforce in response to complaints, which were launched by data privacy advocacy group NOYB with various data protection authorities (DPAs) throughout the European Union (EU) and European Economic Area (EEA). The report included various considerations by the EU/EEA data protection authorities with regard to the usage of cookies and implementation of cookie banners.
One of the important issues outlined by the majority of the data protection authorities is that if a cookie banner has the “accept all” button, it should equally include the “reject all” button. More specifically, even though there is no consensus on this, according to a majority of the DPAs, the “reject all“ button should be included on the first layer of the cookie banner.
Cookie Banner Taskforce Report: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf
New developments since the EDPB report
Since the release of the EDPB’s Cookie Banner Taskforce report, various DPAs have updated their guidance and have officially published their position on the “reject all“ button. A few months after the report, the French DPA, CNIL, which was also one of the DPAs coordinating the work of the task force, published their official statement and highlighted that the first layer of the cookie banners must include the “reject all“ button. The CNIL had this viewpoint already before the EDPB’s official take on the matter and this has been evident from its earlier enforcement decision (e.g. fines issued against Amazon France Core and Google LLC & Google Ireland Limited in 2020).
In addition to the French DPA, there are several other DPAs, that have adopted the same position. These DPAs are respectively Belgian and Luxembourg’s DPAs. These authorities consider that data subjects should be provided the same options for refusing as for consenting to the placing of cookies. Moreover, according to them, in case the “accept all” button is included on the first layer, then a similar “refuse all” button should also be included there. Belgian DPA just recently also published its cookie checklist, which explicitly reiterates this same position.
A few months ago, the Spanish DPA also issued its revised guidelines for cookies. Earlier on, Spanish DPA was among the authorities, did not require the first layer of the cookie banners to include the “reject all“ button, then now it changed its stance, and all the cookie banners need to follow this rule. The banners established differently will be considered to be in violation of the Spanish Act on the Information Society Services and e-Commerce 34/2002 (the act implementing the ePrivacy Directive). The Spanish DPA’s new guidelines also include practical examples for the new cookie banners and urge the old banners to be revised. In addition, the guideline requires the banners to be transparent without there being deceptive design deployed. Companies have been given until mid-January 2024 to comply with the revised requirements.
The guidelines (in Spanish only): https://www.aepd.es/es/documento/guia-cookies.pdf
The most recent development in this matter came from the United Kingdom, where the Information Commissioner’s Office (ICO) gave its opinion on the cookie banners. At the beginning of August, ICO released a joint position paper together with the Competition and Markets Authority (CMA), which touched upon the cookie banners. Based on the position paper, the cookies must be construed in a way that data subjects should have an equal choice to both “accept all“ or “reject all“ cookies. The ICO’s stance is that it is not data protection compliant to use dark patterns by companies to pressure users to accept non-essential cookies with a single click without having an equivalent option available for refusing them.
The Position Paper: https://www.drcf.org.uk/__data/assets/pdf_file/0024/266226/Harmful-Design-in-Digital-Markets-ICO-CMA-joint-position-paper.pdf
What now?
It is important to state that there is presently no unanimous opinion among EU/EEA DPAs on the ways the cookie banners must be established. Some DPAs are very strict and require the first layer of the cookie banner to have an explicit “reject all” button. Meanwhile, based on EDPB’s report there are a number of DPAs which are more lenient and allow this button to be installed on the second layer. At the same time, the fact that the Spanish and French DPAs have taken a strict stance should be a warning sign for companies, because the mentioned authorities are very active in their enforcement and their practice is often followed by other DPAs in the block. It is safe to say that authorities will keep monitoring the usage of the cookie banners and enforcement is increasing. Companies should review their current practices and if needed adapt to the new requirements.
Some possible action items for the companies:
- Review your cookie banners
Whenever companies are using cookies, they need to have in place cookie banners, which should inform users about the use and types of cookies.
- Non-essential cookies need consent
There are various types of cookies, that might be deployed on a website, but not all are essential. Essential cookies, which are stored for the functioning of the website, do not require the user’s consent. However, cookies, which are used for analytics and other third-party cookies, and are often used for the purpose of behavioural advertising, need consent from the data subjects. Thus, companies should have a clear overview of the types of cookies and whenever necessary request consent from the users.
- Consent requests must be clear and enable the user to make an informed decision
Under data protection requirements, the cookie banners requesting consent must be clear and it must be possible to provide consent for the cookies as well as an option to refuse non-essential cookies. The cookie banner cannot also be bundled together with the terms and conditions.
- Reject all button on the first layer of the cookie banner is the recommended approach
Even though there is currently no uniform approach from DPAs for there to be a reject all button for non-essential cookies on the first layer of the cookie banner, it is still a recommended option for the companies as the number of data protection authorities that consider this as the only valid approach is increasing.
If you want to stay up to date with the latest news on the privacy and security field, follow us on LinkedIn. We post regularly about the most important news that companies should be aware of in this area.
At White Label Consultancy, we have assisted many clients worldwide in reducing the risks of processing personal data, as well as providing advice on various domestic and international privacy and data security matters. For more details feel free to contact us using the contact form.
