7 takeaways from the latest report on cookie banners

Cookie banners are so much more than a pop-up asking you to click “yes”. They’re legal contracts between your company and a user over the use of cookies – small snippets of code that deliver information to the website owner about you and how you use the website you’re visiting.

These cookie banners ask for a user’s permission for their data to be used. But according to European privacy laws (the General Data Protection Regulation, which deals with personal data and the ePrivacy Directive, which deals with cookies and trackers) these banners have to conform to certain standards.

It sounds easy enough but the latest report from the European Data Protection Board has a lot to say about elements such as reject buttons, pre-ticked boxes, banner design and consent withdrawal icons.

Earlier this year, the board adopted a report on the work undertaken by the Cookie Banner Task Force. The task force aims to promote cooperation, information sharing and best practices between the data protection authorities (DPAs), to ensure a consistent approach to cookie banners across the European Economic Area.

It was tasked with coordinating the response to complaints concerning cookie banners filed by non-profit organisation NOYB across several data protection DPAs. The report addresses and presents the board’s position on a number of practices. The most important takeaways from the report are:

1. No reject button on the first layer

Some cookie banners contain a button to accept the storage of cookies and a button that allows the user to access further options, but no button to reject the cookies. Does this infringe the ePrivacy Directive? A vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer alongside a consent button of the cookie consent banner is not in line with the requirements for valid consent and thus constitutes an infringement.

2. Pre-ticked boxes

Sometimes after the user has clicked on the “settings” button of the first layer, they are provided with several options, with pre-ticked boxes on the second layer of the cookie banner. The taskforce confirmed that pre-ticked boxes to opt-in do not lead to valid consent as referred to either in the GDPR or the ePrivacy Directive.

3. Deceptive ‘link design’

Some cookie banners contain a link, not a button, as an option to reject the setting of cookies. In other words there is a direct link to a second layer where a user can reject the deposit of cookies.

The taskforce agreed that there should always be a clear indication on what the banner is about, the purpose of the consent being sought and how to consent to cookies. The members agreed that for the consent to be valid, the user should be able to understand what they consent to and how to do so.

In order for a valid consent to be freely given, the taskforce members agreed that cookie banners must not be designed in a way that gives users the impression that they have to give consent to access the website content, nor in a way that clearly pushes the user to give consent.

4. Buttons: Deceptive colours and contrast

Banners and the contrast ratio between the accept button and the background could lead to a clear highlight of the “accept all” button over the available options. But the taskforce believes that a general banner standard for colour or contrast cannot be imposed.

In order to assess the conformity of a banner, a case-by-case verification must be carried out in order to check that the contrast and colours used are not obviously misleading for the users and do not result in unintended consent from them.

5. Legitimate interest claimed, list of purposes

A banner that highlights the possibility of accepting cookies at the first level but does not include an option to refuse at this level, can lead the average user to believe that they have no possibility of objection to the deposit of cookies at all and, incidentally, to the subsequent processing that results from them.

The taskforce took the view that “non-compliance found, in particular when no valid consent is obtained where required, means that the subsequent processing cannot be compliant with the GDPR”. In other words, if data is collected unlawfully so too is the processing of this data. Sometimes the top level of a banner does not offer a “refuse all” option — instead requiring users to click through into settings to unearth additional toggles.

“The integration of this notion of legitimate interest for the subsequent processing ‘in the deeper layers of the banner’ could be considered as confusing for users who might think they have to refuse twice in order not to have their personal data processed,” the report stated.

The taskforce also agreed on how regulators should determine whether any subsequent processing based on cookies is lawful.

This would entail determining whether “the storage/gaining of access to information through cookies or similar technologies is done in compliance with the ePrivacy directive (and the national implementing rules). Any subsequent processing is done in compliance with the GDPR.”

6. Inaccurately classified ‘essential’ cookies

Some cookies and processing operations that use personal data are classified as “essential” or “strictly necessary” cookies and processing operations even though they serve purposes that would not be considered as “strictly necessary” within the meaning of the ePrivacy Directive or the ordinary meaning of “strictly necessary” or “essential” under the GDPR.

Taskforce members agreed that the assessment of cookies to determine which ones are essential raises practical difficulties, in particular due to the fact that the features of cookies change regularly. Cookies allowing website owners to retain the preferences expressed by users, regarding a service, should be deemed essential.

7. No withdraw icons

Users should be allowed to withdraw their consent at any time. This should be easy to access, for example as a small, hovering and permanently visible icon or a link placed on a visible and standardised place.

However, the taskforce agreed that a specific withdrawal solution cannot be imposed on website owners. The bottom line is that, according to both GDPR and the ePrivacy directive, it must be as easy to withdraw consent as it is to give consent.

What does this mean for you?

Because cookies and tracking fall under the ePrivacy Directive, oversight of cookie banners is typically decentralised to regulators in each state.

In Ireland this is the Data Protection Commission, which issued guidelines on cookies and other tracking technologies in 2020.

This decentralised oversight of cookie banners means there can be varying applications of the rules, depending on where the website owner is. This report is therefore expected to inform Data Protection Authorities’ decisions about cookies but the report reflects “a minimum threshold” in implementing cookie rules.

Banners and cookie collection will thus be evaluated on a case-by-case basis. Although there is some flexibility around the design of cookie banners the bottom line is that they should be reviewed on a continuous basis to ensure there is nothing misleading and that consent is as easy for users to give as it is for them to reject.