In the past few years, privacy activists, consumers and national and European data protection authorities have become increasingly aware of the impact of cookies and other tracking technologies. As a result, most administrators of websites and mobile apps know that they have to provide users with a clear and prominent cookie banner. They also know that they should explain what cookies are being used and obtain the user’s consent before storing any non-essential cookies on their device.
What they don’t know is how, exactly, this information should be conveyed. In theory, the conditions are straightforward and set forth in Directive 2002/58/EC (“ePrivacy Directive”) and Regulation (EU) 2016/679 (“GDPR”). In practice, however, requirements for obtaining consent for the use of cookies depend on the jurisdiction.
To address concerns regarding cookie banners and consent management on websites, the European Data Protection Board set up the “Cookie Banner Taskforce.” On January 17, 2023, the Cookie Banner Taskforce adopted a report detailing their findings. This report offers further guidance on the minimum requirements for transparency and efficiency of cookie banners and consent management practices within the European Union (“EU”).
The following are key takeaways from the report if you are a website or app owner:
- Ensure that your cookie banner includes a “reject button” on the first layer;
- Avoid using pre-ticked checkboxes for cookie consent;
- Provide a clear and direct option for users to reject, without using deceptive link designs;
- Avoid using deceptive button colors or deceptive button contrast;
- If you haven’t received consent for storing or accessing information through cookies, abstain from any further processing;
- Classify cookies as “essential” or “strictly necessary” only when they are truly required for your website to function; and
- Make it easy for users to withdraw their consent, such as by providing an icon that is visible at all times or a link placed on a visible and standardized place.
Despite the fact that they are not formally binding, the minimum requirements in the current report are expected to have a substantial impact on businesses and website owners operating within the EU. Consequently, they will have to ensure that their cookie banners and consent management practices meet the minimum thresholds set out in this report.
Unfortunately, the report only outlines minimum requirements. Website owners must still verify whether additional national requirements (such as the ones specified by the French data protection authority) exist beyond the report’s minimum thresholds.
Additionally, please note that the ePrivacy Directive is currently being revised and a new, more harmonized, version is expected to be adopted in the near future. The new ePrivacy Directive is expected to introduce stricter rules on online tracking and data collection, particularly regarding cookies and other similar technologies which we will be sure to summarize upon its release.
Source: Report of the work undertaken by the Cookie Banner Taskforce, January 17, 2023, https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en