Yesterday, the European Data Protection Board (EDPB) adopted a report on the work undertaken by the Cookies Banner Task Force. The Task Force was established in September 2021 to coordinate the response to complaints filed by NOYB concerning cookie banners while promoting cooperation, information sharing and best practices between the Data Protection Authorities (DPAs).
The report reflects the DPAs’ common denominator in their interpretation of the provisions of both the GDPR and the e-Privacy Directive (EPD) regarding the placement/reading of cookies and their subsequent processing of data collected.
FEDMA welcomes this type of initiatives to support a consistent application and interpretation of the EU privacy and protection framework, especially on a topic which is often brought up as an example of the ongoing fragmented regulatory landscape.
Specifically, the EDPB confirmed that the national law transposing the EPD covers the issues dealing with the placement/reading of cookies, while the GDPR applies to the subsequent activities undertaken by the data controller.
Among its main conclusions, the task force members:
- pointed out that most data protection authorities consider as infringement the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner
- confirmed that opt-in pre-ticked boxes do not lead to valid consent
- classified as invalid or misleading
- The absence of sufficient visual support on the only alternative action other than granting consent
- the practice to use deceptive button contrasts, making any alternative option than granting consent unreadable to virtually any user.
- recalled the relevance of the WP29’s opinion in assessing whether cookies can be classified as “essential” or “strictly necessary”.
- stressed the need for a case-by-case analysis to assess whether a consent withdrawal solution meets the GDPR and EPD’s legal requirements.
- confirmed that the legal basis for the placement/reading of cookies pursuant to Article 5 (3) of the e-Privacy Directive cannot be the controller’s legitimate interest.
You can read the full report here.