On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.

Below we summarize the main points of the report:

  • The law applicable to placing cookie banners and obtaining consent is the ePrivacy Directive, as transposed into national law by Member States. In contrast, the GDPR applies to the processing of personal data collected through cookies.
  • The GDPR’s one stop shop mechanism – which is used when one data protection authority acts as a controller’s single point of contact in an investigation – applies to GDPR violations only. It does not apply to violations of the ePrivacy Directive.
  • The cookie banner’s first layer should have a button allowing users to reject all cookies. (However, the report indicates that this is the position of the “majority” of SAs, but not of all SAs).
  • Cookie banners should not include pre-selected buttons and avoid nudging or forcing users to accept cookies (so-called “dark patterns”). Cookie banners should also not make it more difficult for users to reject cookies than to accept them by displaying deceptive “reject” buttons. The Taskforce does not set out specific criteria for identifying “dark patterns”; instead, SAs will need to assess each cookie banner on a case-by-case basis taking into account its color and format of the buttons.
  • Users should receive clear and easily understandable information about: (i) the cookies used; (ii) the purposes of these cookies; and (iii) the means to consent and/or reject these cookies.
  • Users who consent to the placement of cookies should be able to withdraw that consent at any time. It should be as easy to withdraw consent as it is to give it.

The report recommends that companies verify whether their cookie policies and banners comply with the ePrivacy Directive, as transposed into Member State laws. Recent fines imposed by some authorities, such as the French CNIL, Spanish AEPD, and Irish DPC, demonstrate they are actively enforcing compliance with the EU’s cookie rules (as we have previously discussed here).

***

Covington’s Data Privacy & Cybersecurity Practice regularly advises companies on their most challenging regulatory and compliance issues in the EU and other major markets. Our team is happy to assist with any inquiries relating to cookies, including reviewing cookie banners and responding to investigations by SAs, as well as any other tech regulatory matters.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Diane Valat

Diane Valat is a trainee who attended IE University.