A task force within the European Data Protection Board (EDPB) issued a draft report in reaction to noyb's 700+ cookie banner complaints. The European Data Protection Authorities (DPAs) largely support noyb's complaints. If implemented, this report could ensure minimum requirements for cookie banners.
Worst Cookie Banners soon gone? Most users mainly associate the GDPR with nerve wracking "cookie banners". The worst cases should soon be gone, since the following common practices are clearly found unlawful under EU law, according to the EDPB draft report:
- No reject option on the first layer (but hidden in a sub-layer)
- Pre-ticked boxes instead of active consent
- Tiny links in another text to refuse consent
- Links outside the cookie banner to refuse consent
- Claiming legitimate interest for installing non-essential cookies (and not asking for consent)
- Not offering a permanent option to withdraw consent
Ala Krinickytė, data protection lawyer at noyb: "We are very happy that the authorities agreed on the minimum threshold for protections against abusive banners. Cookie banners became the poster child of the GDPR being undermined. We need authorities to take urgent action, to ensure citizens' trust in European privacy laws."
The Draft Decision is a result of DPAs' cooperation within the EDPB's taskforce on cookie banners launched in September 2021 following the filing of more than 500 cookie banners complaints by noyb. The Draft Report reflects the smallest common denominator in the DPAs' interpretation of the applicable law and sets a minimum threshold to assess consent cookie banners. Many national guidelines even go further and noyb equally takes the view that the law requires further protections, for example under the 'fairness' requirement of the GDPR.
Partial silence by DPAs. Some issues are not fully clarified in the EDPB Draft Report. The report is simply silent on them. This may lead to further discussions and uncertainty in the future. Among others, the Taskforce has not adopted a decision on deceptive button colours and contrasts and defined what "a visible and standardized place" for withdrawing consent is. The final version of the EDPB report has not yet been adopted. It may clarify these issues further.
Felix Mikolasch, data protection lawyer at noyb: "On some contentious issues there is deafening silence by the authorities, for example on deceptive button colours. Clearer guidance is needed to protect users further."
Status of noyb complaints. In March 2021, noyb scanned the web for illegal cookie banners and filed more than 700 complains across Europe. From the initially scanned websites, at least 56% introduced more compliant cookies banner, including Coca-Cola, Raiffeisen, Mastercard. As of today, 60 cookies cases have been closed.
First court actions. In a related story, noyb went to court over decisions of the Bavarian Data Protection Authority. Contrary to other DPAs, the Bavarian DPA did not take action on a banner that was clearly deceptive and pushed users towards consent. The Bavarian DPA mainly argues that data subjects have no right that a DPA takes action and that the banner was questionable but the DPA did not see the need to take action. noyb hopes that the relevant courts now overturn the DPA's decision and force it to uphold users' rights.