EU Cookie Banner Task Force report

Key takeaways

Philipp Rosenauer
Partner Legal, PwC Switzerland

Caitlin Hemminga
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

The European Data Protection Board (EDPB) recently published a report summarising the findings of their Cookie Banner Task Force.

The objective of the task force was to provide guidance on the implementation of cookie banners, which must be displayed to users of websites in accordance with the General Data Protection Regulation (GDPR).
We have summarised the most relevant criteria below.

The report

The positions within the report provide a minimum threshold but they are not sufficient to obtain approval from a competent authority, nor are they legally binding. Rather, the findings must be read in combination with national laws.

The report summarises best practice for implementing cookie banners through a ‘privacy by design’ approach and a user-friendly experience. Since cookie banners are the gateway to websites, they should be understood as a tool to protect the users’ privacy and, therefore, they need to ensure that users are aware and informed to control and make decisions about their data.

Key points

  1. No reject button
    It is most common to see that cookie banners have an ‘accept all’ button and a button that allows users to customise the use of cookies. It was concluded that most supervisory authorities consider it an infringement of the ePrivacy Directive if a cookie banner does not provide both an ‘accept all’ and a ‘reject all’ option simultaneously on any layer of the cookie banner.
  2. Pre-ticked boxes
    When selecting categories of cookies on the second layer of a cookie banner, some website operators present the options pre-ticked. The supervisory authorities concluded that pre-ticked boxes in this instance also does not lead to valid consent and is prohibited.
  3. Deceptive button colours and contrast
    A cookie banner must provide clear and easily understandable information about the cookies used, their purpose and the means to consent to them, but it should also not deceive or nudge users through distinct colours and contrasts to ‘accept all’. Forcing users in this way to consent to cookies wrongly gives the impression that they must give consent to access the website and its content.
  4. Legitimate interest
    If a banner states ‘legitimate interest’ as their legal basis for non-essential cookies, for example targeted advertising, the website operator is not collecting valid consent and such action is prohibited. If this is the case, then the operator is also non-compliant with any subsequent processing of personal data through the cookies.
  5. ‘Essential cookies’
    Some cookie banners wrongly categorise ‘essential’ cookies, also known as ‘strictly necessary’ cookies. The authorities determined that wrongly categorised cookies are prohibited. Although the features of cookies change often it is critical that the website operator maintain the list of essential cookies.
  6. No withdraw icon
    It should be just as easy to withdraw consent as it is to give consent. Website operators should use permanently visible icons or other easily accessible means for users to withdraw their consent at any time.

What does this mean for you?

You may consider reviewing the cookie banners on your company’s website against the EDPB’s report findings to ensure compliance with the applicable laws.

PwC supports clients across industries on the legal and technical aspects of cookie banners.


#social#

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en