The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.
The EDPB taskforce is established in accordance with Art. 70(1)(u) of the GDPR, which states that the EDBP must promote the cooperation and effective bilateral and multilateral exchange of information and best practices between SAs. The aim of this taskforce is to harmonise and coordinate the approach to investigating and responding to cookie banner complaints from NOYB. It remains to be seen how this will actually be done in practice and whether EDPB will limit the harmonisation to procedural approach to the complaints, or whether it will also attempt to ensure consistent application of the underlying substantive rules.
What is NOYB and how do their complaints work?
NOYB is a non-profit focusing on challenging data protection violations. The organisation is founded by a privacy activist and lawyer, Max Schrems, who is behind the well-known Schrems cases that led to the invalidation of the Safe Harbor and the EU-U.S. Privacy Shield mechanisms for transfers of personal data to the U.S.. Compliance of cookie banners/pop-up consent mechanisms with data protection and privacy rules, is one of NOYB’s latest initiatives.
At the outset of this latest initiative, NOYB sent hundreds of draft complaints to companies across Europe that it claims use ‘unlawful’ cookie banners along with a guide of how to achieve compliance. This is based on NOYB’s interpretation of relevant rules and how these should be implemented in practice. NOYB previously gave these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with the relevant data protection authorities.
Following a lack of action or what NOYB viewed as insufficient action by a number of these companies, on 10 August 2021, NOYB filed 422 complaints with 10 data protection authorities, with intentions to file a further 36 more. As a result, the EDPB has established the cookie banner taskforce to coordinate the response to complaints concerning cookie banners filed in several EEA countries. Clearly, this initiative has become a driver of enforcement activity in the EEA. Is there really a one-size-fits-all cookie banner standard all companies should follow?
What is the legal environment companies need to follow?
In the EU, cookies are regulated by the European Directive 2002/58/EC, as amended, also known as ‘the e-Privacy Directive’ (“ePD”). The ePD requires that users or subscribers consent to information being placed or accessed on their devices (this includes setting and reading cookies and use of a wide array of other common tracking technologies), unless these are ‘strictly necessary’ to provide service requested by the subscriber/user. Such consent has to comply with requirements of the GDPR.
GDPR requires (in Arts. 4(11) and 7) a data subject’s consent to be freely given, specific, informed and unambiguous, and given through a clear affirmative action. Recital 32 of the GDPR also clarifies what such affirmative action is, specifically banning pre-ticked boxes, emphasising that silence or inactivity does not constitute consent, something commonly seen in cookie banners. This was further confirmed by the judgment of the Court of Justice of the European Union (CJEU) in the Planet49 case C-673/17 which, amongst other things, settled that pre-ticked checkboxes are invalid, that the GDPR standard of consent applies to cookies and that the ‘cookie consent rule’ applies regardless of whether cookies constitute personal data or not.
As such, to comply with the regulations governing cookies under the GDPR and the ePD you must:
- Receive users’ consent before you set/read any cookies except strictly necessary cookies.
- Provide accurate and specific information about each cookie (including its purpose, whether cookie is placed by the website/third party, its lifespan, and other relevant information) in plain language before consent is received.
- Document and store consent received from users.
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
The way companies interpret these rules and reflect them in actual cookie banners varies greatly. Even cookie banners from the same consent management platform (“CMP”) often differ from one another. This is because CMPs typically offer adjustability for all elements of cookie consent mechanisms they offer, which companies can modify to match their legal obligations (and risk appetite). This means that to achieve reasonable compliance, companies need to take hands-on approach to CMPs, which may not always be compliant by default (making CMP implementation a very much ‘adjust and tweak’ before you can ‘plug and play’ exercise).
What about the regulators – do they interpret the rules in the same way?
The issue in practice is the lack of harmonisation across the EEA, regarding cookie consent implementation. A number of SAs have published guidance (Belgium, France, Ireland, Italy, Spain and UK, to mention a few) but there is a lack of cohesion resulting from differing interpretations. A lot of the guidance is also fairly recent (or recently has been updated). Some countries have also recently revised their underlying cookie laws to reflect the EU cookie rules in their national legislation, with Germany’s Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (“TTDSG”) coming into effect on December 1, 2021 (which will presumably be followed by further guidance at state and federal level).
Multiple sets of differing national interpretations of the laws on cookies, means that it is challenging for pan-EU organisations to make sure their implementation reflects the understanding of all SAs.
Would certain analytics cookies be excluded from consent requirements altogether (and under what conditions)? Would cookie banners have to offer both ‘accept’ and ‘reject’ buttons, even if users can select which cookie types they accept/reject in the second layer? Would websites need to introduce a persistent cookie-banner-recall button? – These are just some of the examples of practical questions, where answers may differ depending on the SA’s guidelines you consult.
At the moment, there is no recent guidance at an EU level and the EDPB would be challenged to publish guidance that would provide sufficient detail to help companies set up their cookie consent mechanisms, without some of the national SAs needing to revise their national guidelines and approach.
Can the taskforce help establish one cookie banner standard across the EEA?