In the past few years, privacy activists, consumers and national and European data protection authorities have become increasingly aware of the impact of cookies and other tracking technologies. As a result, most administrators of websites and mobile apps know that they have to provide users with a clear and prominent cookie banner. They also know that they should explain what cookies are being used and obtain the user’s consent before storing any non-essential cookies on their device. 

What they don’t know is how, exactly, this information should be conveyed. In theory, the conditions are straightforward and set forth in Directive 2002/58/EC (“ePrivacy Directive”) and Regulation (EU) 2016/679 (“GDPR”). In practice, however, requirements for obtaining consent for the use of cookies depend on the jurisdiction.

To address concerns regarding cookie banners and consent management on websites, the European Data Protection Board set up the “Cookie Banner Taskforce.” On January 17, 2023, the Cookie Banner Taskforce adopted a report detailing their findings. This report offers further guidance on the minimum requirements for transparency and efficiency of cookie banners and consent management practices within the European Union (“EU”).

The following are key takeaways from the report if you are a website or app owner:

  1. Ensure that your cookie banner includes a “reject button” on the first layer;
  2. Avoid using pre-ticked checkboxes for cookie consent;
  3. Provide a clear and direct option for users to reject, without using deceptive link designs;
  4. Avoid using deceptive button colors or deceptive button contrast;
  5. If you haven’t received consent for storing or accessing information through cookies, abstain from any further processing;
  6. Classify cookies as “essential” or “strictly necessary” only when they are truly required for your website to function; and
  7. Make it easy for users to withdraw their consent, such as by providing an icon that is visible at all times or a link placed on a visible and standardized place.

Despite the fact that they are not formally binding, the minimum requirements in the current report are expected to have a substantial impact on businesses and website owners operating within the EU. Consequently, they will have to ensure that their cookie banners and consent management practices meet the minimum thresholds set out in this report.

Unfortunately, the report only outlines minimum requirements. Website owners must still verify whether  additional national requirements (such as the ones specified by the French data protection authority) exist beyond the report’s minimum thresholds.

Additionally, please note that the ePrivacy Directive is currently being revised and a new, more harmonized, version is expected to be adopted in the near future. The new ePrivacy Directive is expected to introduce stricter rules on online tracking and data collection, particularly regarding cookies and other similar technologies which we will be sure to summarize upon its release.  

Source: Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023, https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yung Shin Van Der Sype Yung Shin Van Der Sype

Yung Shin Van Der Sype is a counsel at Crowell & Moring’s Brussels Office and a member of the firm’s Privacy & Cybersecurity and IP Group. She focuses on IT law, such as privacy and data protection and IT contracts and cybersecurity, particularly…

Yung Shin Van Der Sype is a counsel at Crowell & Moring’s Brussels Office and a member of the firm’s Privacy & Cybersecurity and IP Group. She focuses on IT law, such as privacy and data protection and IT contracts and cybersecurity, particularly in relation to HR-related matters. Yung Shin advises national and international clients from different sectors ranging from social media to esports. She has more than 10 years’ experience providing services across the spectrum of IT law and has built up an impressive reputation in this area. She is also widely respected for her pragmatic and creative approach to solving business disputes.

Photo of Sarah Rippy Sarah Rippy

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She…

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She joins the firm after a year serving as a Westin Research Fellow at the International Association of Privacy Professionals, where she focused on state law developments, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA).