On January 18, 2023, the cookie banner task force established by the European Data Protection Board (“EDPB“) published its draft report concerning the required design and characteristics of cookie banners (“Report“). The task force was initiated in September pursuant to complaints filed with several European Data Protection Authorities (“DPAs“) by the None Of Your Business association (“NOYB“).
First, the task force emphasized the parallel applicability of the ePrivacy Directive and the GDPR, as the first applies towards the initial stage where cookies are being stored in the data subject’s computer, while the GDPR applies towards the subsequent processing of the data collected through such Cookies.
Further, the Report provides specific guidance regarding the proper design and characteristics of cookie banners based on the requirements of both regulations. While some recommendations may be familiar, others include noteworthy distinctions, as outlined below:
- Banners must include a Reject Button – Since any cookies which are not strictly necessary require explicit consent, which requires “positive action”, the vast majority of DPAs considered that absence of a “Reject Cookies” button constitutes an infringement.
- No Pre-Ticked Boxes – the Report emphasizes that using pre-ticked boxes does not lead to valid consent.
- Avoid Deceptive Designs – The Report stresses that for consent to be valid, users must be aware of what they are consenting to and how to do so. Website owners must not design cookie banners in a way that misleads users, gives the impression that users must give consent to access the website content, or heavily encourages users to provide consent. Such misleading practices include, inter alia: the use of a link incorporated into general text for rejecting cookies; placing the reject button or link outside of the banner; using deceptive colors (e.g., red color for accept); using a text color in a button where the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user; etc. It should be noted that those examples of improper and misleading practices correspond with practices and guidelines published by the US FTC in its report regarding Black Patterns.
- Stay Clear regarding your Lawful Basis – The task force stresses the importance of understanding that the ePrivacy Directive and GDPR have distinct consent requirements. Website operators must adhere to the guidelines outlined in Article 5(3) of the ePrivacy Directive and establish a (separate) valid legal basis under the GDPR for any data collected through cookies. It is crucial for the consent banner to clearly distinguish between these two regulations and avoid confusion regarding the need for a separate “refusal” option for the use of the data collected by cookies.
- Define “Strictly Necessary” Cookies Carefully – The Report notes that some website owners incorrectly categorize certain cookies as “essential” or “strictly necessary” when they do not meet the criteria outlined in Article 5(3) of the ePrivacy Directive or the standard definition of these terms under the GDPR. To address this issue, the report recommends using designated tools such as Consent Management Platforms (CMPs) to classify the cookies used on a website correctly.
- Do Not Forget a Withdrawal Icon – Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place on the webpage.
At APM & Co., we assist our clients with ongoing compliance with their websites and provide them with a detailed gap analysis alongside easy-to-follow compliance guidelines for properly implementing cookies, privacy policies, disclosures, and consent.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as binding legal advice, but rather a practical overview based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.