Garbage Collector


The little space of a writer, tinkerer, and a coffee addict

The EDPB adopts the final report of the cookie banner recommendations

The EDPB adopts the final report of the cookie banner recommendations
The European Data Protection board logo

Between May 2021 and August 2022, 18 European data protection authorities (DPA) received several hundred of complaints from NOYB regarding the design of the cookies banners.

A coordinated task force between the DPAs, piloted by the French authority La CNIL and its Austrian counterpart, the DSB, ended-up after 13 meetings by the production of a report containing various recommendations for designing a cookie banner. I propose here a summary of my understanding of this report.

Disclaimer

The report itself is not a design guideline, neither a greenlight for designers, because the authorities cannot establish recommendations for each use case. Basically, the document is a list of implementations the various data protection authorities would harmoniously consider to be a violation of the ePricacy directive and the GDPR when they study a case.

Another disclaimer : I’m not a lawyer, so if my interpretation is wrong, don’t hesitate to help me to fix it.

No reject button on the first layer

The DPAs noted a frequent case of banners having a button “Accept all”, but no “Reject all” at the same layer. The usual implementation will just propose a “Customize” next to the “Accept all”. The new screen would propose to reject all, or save the settings.

The majority of the DPA has established that the absence of a “Reject all” button at the same layer of the “Accept all” button “is not in line with the requirement for a valid consent and thus constitutes an infringement”. Few authorities considered they cannot retain an infringement because the ePrivacy Directive does not specify a “reject option” to the deposit of cookies.

Pre-ticked boxes

Some second layer of the cookie banners are presented as pre-ticked boxes. The taskforce members agreed and confirmed that this practice does not lead to a valid consent as referred either by the GDPR and the ePrivacy Directive. According to the GDPR, the consent must be a positive action from the user. A silenced or passive action, like pre-ticked boxes or inactivity, should not be considered as a valid consent.

Some cookie banners contain only a link to reject the deposit of cookies, or accessing to the detailed selection layer, and not a visible button.

The taskforce members agreed that the cookie banner design should not intend to deceive the user and make them believe they have to consent to the cookie deposit in order to access the service. The board agreed that the following non exhaustive list of examples do not lead to a valid consent :

The deceptive button colours, contrast

The taskforce members agreed that they can’t impose a standard colour and / or contrast for the cookie banners. The conformity of a banner should be assessed case-by-case. However, they agreed that a design highlighting the “Accept all” button against the “Refuse all” or “Parameters” button is considered as “problematic”. Another observed pattern is the case when the “Accept all” button is clearly visible, but the other choice’s contrast for text and highlight being so low that the text is nearly unreadable.

These patterns has been considered as problematic too by the taskforce members because such design would lead to an invalid consent. However, since no general recommendation could be established, they reiterated that each case must be individually assessed.

The legitimate interest claimed, list of purposes

Some banners propose the “Accept all” button or a “Customize” choice. They are designed in a way that the user would think to have no other choice than accepting the cookies deposit, and incidentally, to the subsequent processing that results from them. The second layer of the banner would make a distinction between the read/write operation on the cookie and the further processing presented as failing within the legitimate interest of the data controller.

In those cases, these “legitimate interest” appeared to be such as “Create a personal content profile” or “Select personalized ads” whereas “it could be considered that no overriding legitimate interest would exists for such processing activities”. Also, the taskforce members noted that this notion of legitimate interest for the subsequent processing would be confusing because the user would have to refuse twice the processing.

The members estimated that if a non-compliance is found with the cookie deposit, then the subsequent processing would also be non-compliant to the GDPR since the consent is not valid regarding the ePrivacy Directory article 5 (3).

Inaccurately classified “essential” cookies

Some cookie banners include in their “essential” or “strictly necessary” cookies and processing operations for purposes which actually not the case. The assessment of “essential” cookies is very difficult because the features would change regularly and it would not be possible to establish a proper list. But the taskforce members reminded that the website responsible has to maintain this list and should be able to demonstrate the “mandatory” aspect of these cookies.

Specific tools has been mentioned to analyse a website and create a report that shows all the cookies placed during the visit. They can help to produce the list, but they can’t tell if the cookie is “essential” or not. They have been marked as an help for the authorities when evaluating a case in addition to the information provided by the website.

No withdraw icon

Some cases showed that after the user gave its consent for the processing, they cannot withdraw it later. The website does not propose a “privacy settings” access, or it’s very difficult to find it, resulting the user being unable to withdraw their consent.

Both ePrivacy Directive (Article 5 (3)) and GDPR (article 7) require to let the user withdraw their consent at any time, and in a way as easy as to give consent. A case presenting a different way would be considered as non-compliant.

But, since the authorities could not provide or impose a specific implementation, the cases will have to be studied individually.

Personal interpretation

With these guidelines for cases analysis, I have the feeling that a lot of cookie banners will have trouble if complaints are filled against them.

For example, on the French news website FranceInfo, the refusal of the cookie deposit is on the top right of the banner (a design regularly seen) while the “Accept” or “Parameter” buttons are clearly visible. However, you can see that the contrast is not made to highlight the “Accept” button, they’re both neutral which seems to be acceptable.

franceinfo

Still in newspaper websites, a second case is the French newspaper Le Monde which present the same disposition, but with a more appealing “Accept” button. In addition, Le Monde presents a different case which is the “Cookie Paywall” saying : “Accept tracking or subscribe a paid access”. This method was considered as non-compliant by la CNIL because it would not be a valid consent. However, the decision has been contested and invalidated by le Conseil d’Etat, the French juridiction judging the administrative cases. It’s still a kind of blurry since the case has not be ported to the European Union Court of Justice at my knowledge.

lemonde

Let’s check a famous retailer, no need to introduce it. Same here, the cookie banner put emphasis on the “Accept all” button and diminish the “Personalize”. The “Refuse all” is hidden on the top right, with only a link styling.

amazon

A French retailer this time, but with the same pattern.

boulanger

A last one, Fandom, the various “fan made Wikis” with tons of advertising. It present the same case of cookie banner made to constraint the user if they want to refuse.

fandom fandom

And that’s a Desktop navigation… That’s a reason while I don’t surf on my smartphone unless absolute necessity, because these cookie wall are such a pain in the ass with these small screens and they are clearly designed in a way to for you to accept.

Various content blocker like µBlock or your browser builtin feature (like Vivaldi’s ad blocker) can remove them but be careful : a badly designed cookie banner could write cookies if the banner has been blocked. Don’t forget : the consent cannot be a passive action, the user has to willingly click on “accept”. One recommendation I’ve repeated a couple of times here : clean the cookies after the session. You have browser addons such as “CookieAutoDelete” for a very precise setting (like whitelisting your favorites or trusted websites) if your browser’s are not enough.


📑 Table of Contents

📚 Read my latest book

Follow me on Mastodon

🏷️ All Tags 📄 All Posts 🗺 Sitemap RSS Feed