In September 2021, the European Data Protection Board (EDPB) set up a Cookie Banner Taskforce (Taskforce) to coordinate the response to several hundred complaints made to data protection supervisory authorities (SAs) by the NGO NOYB concerning the design and characteristics of cookie banners.

The objectives of the Taskforce are to promote cooperation, information sharing and best practices. On 18 January 2023, the Taskforce published its draft report on work undertaken to date. In the report, the SAs agreed on an interpretation of the applicable provisions of the ePD and GDPR to the design of cookie banners.

If your organisation uses cookies on its website or app, the report is important as it provides guidance on issues such as reject buttons, pre-ticked boxes, banner design, and withdrawal of consent. We outline the key takeaways from the report below.

The rules – the ePrivacy Directive and GDPR

The Taskforce state that the applicable legal framework for cookies is only the national law of each Member State which transposes Article 5(3) of the ePrivacy Directive (ePD) and that the one stop shop mechanism does not apply.

However, in relation to any processing of data which takes place after gaining access to or storing information on a user’s device, the Taskforce reminds stakeholders that the GDPR applies. So for processing of data collected via cookies to be lawful it requires that:

  1. The storage/gaining of access to information through cookies is done in compliance with Article 5(3) ePD (and the national implementing rules), and
  2. Any subsequent processing to be done in compliance with the GDPR

The Taskforce also emphasises that the ePD’s reference to consent includes both a reference to the definition of consent per Article 4 GDPR as well as to the conditions for consent in Article 7 GDPR.

Strictly necessary/essential cookies

The Taskforce observed that some controllers incorrectly classify cookies as “strictly necessary” despite the purpose for which such cookies are used not meeting the requirements of that exception.

By way of reminder, in order to rely on the “strictly necessary” exception, a cookie must pass two tests:

  1. The ‘information society service’ has been explicitly requested by the user, and
  2. The cookie is strictly needed to enable the ‘information society service’: if cookies are disabled, the service will not work

Based on previous regulatory guidance, the following purposes are generally viewed as benefiting from the strictly necessary exception:

  • First party session cookies which support user input or authentication
  • Limited user interface customisation cookies, for basic functions like language preference
  • User-centric security cookies: Accepted market practice is that first-party security cookies can rely on the strictly necessary exemption but third-party security cookies are not afforded the same benefit, and
  • Multimedia player session cookies used to store technical data needed to play back video or audio content

Designing cookie banners

Following a coordinated review of several cookie banners which were the subject of complaints, the Taskforce provided the following commentary on various design aspects of cookie banners:

What next?

The Taskforce’s interpretation of these design issues provides helpful clarification for website and app operators. The timing of the draft report also indicates that enforcement of cookies rules remain high on the agenda for SAs in 2023.