The European privacy advocacy group noyb this week published a report titled noyb's Consent Banner Report: How authorities actually decide. This report examines the decisions and guidance documents issued by various data protection authorities (DPAs) across Europe concerning cookie banners.
Cookie banners are the pop-up notifications users see on websites informing them about cookies and similar technologies used to track user activity. The report offers a valuable resource for companies striving for compliance with cookie consent regulations.
Understanding Cookie Consent and the EDPB
The General Data Protection Regulation (GDPR) is a regulation of EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. According to the GDPR, websites must acquire a user's consent before storing or accessing certain types of cookies on their devices. The European Data Protection Board (EDPB) is an independent EU body that supports cooperation between EU supervisory authorities to enforce the GDPR.
The EDPB Cookie Banner Task Force and Its Recommendations
In September 2021, the EDPB established a cookie banner task force to coordinate the response to complaints regarding cookie banners. In January 2023, this task force published a report offering its recommendations on cookie banner best practices. The EDPB report serves as a minimum threshold for cookie banner compliance, but national DPAs can have stricter requirements.
noyb's Report: Comparing National DPA Positions with EDPB Recommendations
Noyb's report compares the EDPB task force's recommendations with the positions taken by national DPAs. The report analyzes relevant issues, the EDPB task force's stance, and the guidelines set forth by national DPAs. Additionally, the report incorporates information on actual DPA decisions where available.
The report examines various aspects of cookie banner compliance, including:
- Offering a clear "reject all" option on the first layer of the cookie banner. This means users should not have to navigate through additional pages to refuse cookies.
- Avoiding pre-selected tick boxes that users must opt-out of. Cookie consent should be freely given, and pre-selected boxes can be misleading.
- Steering clear of deceptive practices such as using contrasting button colors or confusing button layouts to pressure users into accepting cookies.
- Reliance on legitimate interest as a legal basis for installing non-essential cookies. Legitimate interest is a legal justification for processing personal data under the GDPR, but it cannot be used for all cookies.
Noyb's report serves as a valuable tool for businesses operating within the EU. By understanding the various national DPA interpretations of cookie consent regulations, businesses can ensure their cookie banner practices comply with the GDPR and associated regulations.