In January 2023, the European Data Protection Board (EDPB) published a report on cookie banners (Report). The Report provides practical guidance to companies doing business in the EU on how to comply with the EU cookie rules. It deals with issues such as reject-all buttons, pre-ticked boxes, banner design, and withdrawal icons. The Report is helpful for companies looking to implement a baseline approach to cookie compliance across the EU.

Background

Under EU law, the use of cookies and similar tracking technologies involving the storing of information, or the gaining of access to information already stored on a user’s device (e.g., web beacons, pixel tags, local storage) (collectively, “cookies”) is subject to strict requirements. In particular, EU cookie rules require companies to obtain users’ opt-in consent to access any information stored on the user’s device unless the cookies are only used i) to carry out the transmission of a communication over a network or ii) for the functioning of the website or app (“essential cookies”).

Since May 2021, the privacy nongovernmental organization None of Your Business (NOYB) brought more than 700 complaints against website operators whose cookie banners allegedly violated the EU cookies rules.[1] As a result, the EDPB set up a “Cookie Banner Taskforce” which prepared the Report in order to promote cooperation and best practices between the various regulators involved.

Main Takeaways

  1. Consent is required for non-essential cookies. The Report states that companies must obtain opt-in consent for the use of all nonessential cookies, and that such opt-in consent cannot be obtained using pre-ticked boxes, in line with the EDPB guidelines on consent[2] and established case law of the European Court of Justice.[3] The Report states that absent such consent, the subsequent processing cannot be compliant with the General Data Protection Regulation (GDPR).
  1. If the cookie banner includes an “Accept” button, it should also include a “Reject” button. The Report notes that a “vast majority” of EU privacy regulators consider that the absence of a “Reject” button on a cookie banner displaying an “Accept” button violates the EU cookie rules. This means that it is not sufficient to have an “Accept” button together with another button allowing users to access further options; instead, the “Reject” button should be accessible on the first layer.
  2. If the cookie banner includes a link allowing users to reject cookies, that link should be easily identifiable and displayed within the cookie banner. According to the Report, displaying a link—rather than a button—which allows users to reject cookies is acceptable if such link is clearly visible and draws the user’s attention to this alternative option within the cookie banner.
  1. No general standard on cookie banner colors and contrast. Companies must carry out a case-by-case analysis to ensure that the colors and contrast used in a cookie banner are not misleading for users. The Report also states that where the contrast between the button’s text and background is so minimal that the text is unreadable, this practice is misleading for users.

  2. Companies must make it as easy for users to withdraw consent as to give it (e.g., via a hovering button or permanently visible icon). The Report states that it should be as easy for users to withdraw consent for nonessential cookies as to give it. This means that companies should allow users to withdraw their consent at any time, for example, with a small hovering button or a permanently visible icon on their website, or a link placed on a visible and standardized place. The Report does not impose a specific withdrawal solution, but it provides that EU privacy regulators will analyze whether a specific solution meets these requirements on a case-by-case basis.

Conclusion

The Report describes the current consensus among the EU privacy regulators as to which cookie practices are to be regarded as lawful. However, the EDPB underlines that the recommendations of the Report may not be sufficient, since additional requirements may apply under the national laws of each EU country.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR and ePrivacy compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Laura De Boel, or another member of the firm’s privacy and cybersecurity practice.


[1] According to NOYB’s own statements, available here.

[2] See WP29 Opinion 04/2012 on Cookie Consent Exemption adopted on une 7, 2012, available here.

[3] CJEU, Case C‑673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH, available here.