On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.
The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.
Below we summarize the main points of the report:
- The law applicable to placing cookie banners and obtaining consent is the ePrivacy Directive, as transposed into national law by Member States. In contrast, the GDPR applies to the processing of personal data collected through cookies.
- The GDPR’s one stop shop mechanism – which is used when one data protection authority acts as a controller’s single point of contact in an investigation – applies to GDPR violations only. It does not apply to violations of the ePrivacy Directive.
- The cookie banner’s first layer should have a button allowing users to reject all cookies. (However, the report indicates that this is the position of the “majority” of SAs, but not of all SAs).
- Cookie banners should not include pre-selected buttons and avoid nudging or forcing users to accept cookies (so-called “dark patterns”). Cookie banners should also not make it more difficult for users to reject cookies than to accept them by displaying deceptive “reject” buttons. The Taskforce does not set out specific criteria for identifying “dark patterns”; instead, SAs will need to assess each cookie banner on a case-by-case basis taking into account its color and format of the buttons.
- Users should receive clear and easily understandable information about: (i) the cookies used; (ii) the purposes of these cookies; and (iii) the means to consent and/or reject these cookies.
- Users who consent to the placement of cookies should be able to withdraw that consent at any time. It should be as easy to withdraw consent as it is to give it.
The report recommends that companies verify whether their cookie policies and banners comply with the ePrivacy Directive, as transposed into Member State laws. Recent fines imposed by some authorities, such as the French CNIL, Spanish AEPD, and Irish DPC, demonstrate they are actively enforcing compliance with the EU’s cookie rules (as we have previously discussed here).
Covington’s Data Privacy & Cybersecurity Practice regularly advises companies on their most challenging regulatory and compliance issues in the EU and other major markets. Our team is happy to assist with any inquiries relating to cookies, including reviewing cookie banners and responding to investigations by SAs, as well as any other tech regulatory matters.