The European Data Protection Board (EDPB) published, on the 18th of January 2023, its Report which describes the common position that the EDPB and EEA member state supervisory authorities (SA’s) will take with regard to the interpretation of cookie rules. It will outline how regulatory bodies will exercise legislation in dealing with cookie complaints.

These complaints were filed by the non-governmental organization; None of Your Business (NOYB) which was co-founded by privacy activist Max Schrems. The EDPB’s Cookie Banner Taskforce, which was established in September 2021 drafted the Report to respond to the complaints filed by the NGO. The complaints were related to the cookie banners in the EU.

Key Takeaways from the Report for businesses to note

1. The applicable Law: ePrivacy Directive is the law that will be applied to placing cookie banners and obtaining consent. However, the GDPR will be applied to the processing of personal data that is collected through cookies.

2. Reject Buttons: The majority of authorities require a Reject button on any layer of the cookie banner. Further, certain DPA’s such as the CNIL (French) and the ICO (UK) specify that the button should be present in the very first layer of the banner. Meaning that the option for users to exercise consent with regard to rejecting cookies should be as easy as it is to accept them, i.e., with one click.

3. Pre-selected boxes: The use of dark-patterns in the form of pre-selected buttons cannot be included in the cookie banner. This manipulates users into making choices they would not have otherwise made. These pre-selected options are not necessary for functioning of the website or its services. This is not considered as valid consent.

4. Banner design: Dark patterns are not to be employed on the cookie banner. Links to reject cookies that are hidden in the text of the banner or exist outside the banner entirely are not allowed. Buttons should be clear and transparent. Use of attention-grabbing colours and designs for accept buttons should be avoided. Both accept and reject buttons should be similar in nature. While the designs will be evaluated on a case-by-case basis, consistency should be exercised.

5. Legitimate interest: Only consent will be counted as the legal basis for placing cookies. The initial storage of personal data collected via cookies should be in compliance with ePrivacy regulations, which means that consent is required in all cases other than if the cookie is ‘strictly necessary’. The processing of the personal data should be in compliance with the GDPR.

6. Withdraw icons: Withdrawal of consent should be as easy as giving consent. This means that the option to withdraw consent should be readily available. While there is no standardized way to do this, permanently visible hovering icons or links placed at a standardized place on the website can be used.

These positions noted in the Report should be considered as the minimum common standard. Companies should confirm whether their cookie practices are in compliance with the ePrivacy Directive and the GDPR. The purpose of the Report is to influence the different DPA’s decisions about cookies in the future. The terms of the Report should be combined with the national requirements from national laws as well as guidance by the SAs. For more information, you can read the report here