by Kristof Van Quathem, Anna Oberschelp de Meneses, and Diane Valat

From left to right: Kristof Van Quathem and Anna Oberschelp de Meneses (Photos courtesy of Covington & Burling LLP)

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.

Below we summarize the main points of the report:

• The law applicable to placing cookie banners and obtaining consent is the ePrivacy Directive, as transposed into national law by Member States. In contrast, the GDPR applies to the processing of personal data collected through cookies.
• The GDPR’s one stop shop mechanism – which is used when one data protection authority acts as a controller’s single point of contact in an investigation – applies to GDPR violations only. It does not apply to violations of the ePrivacy Directive.
• The cookie banner’s first layer should have a button allowing users to reject all cookies. (However, the report indicates that this is the position of the “majority” of SAs, but not of all SAs).
• Cookie banners should not include pre-selected buttons and avoid nudging or forcing users to accept cookies (so-called “dark patterns”). Cookie banners should also not make it more difficult for users to reject cookies than to accept them by displaying deceptive “reject” buttons. The Taskforce does not set out specific criteria for identifying “dark patterns”; instead, SAs will need to assess each cookie banner on a case-by-case basis taking into account its color and format of the buttons.
• Users should receive clear and easily understandable information about: (i) the cookies used; (ii) the purposes of these cookies; and (iii) the means to consent and/or reject these cookies. Users who consent to the placement of cookies should be able to withdraw that consent at any time. It should be as easy to withdraw consent as it is to give it.

The report recommends that companies verify whether their cookie policies and banners comply with the ePrivacy Directive, as transposed into Member State laws. Recent fines imposed by some authorities, such as the French CNIL, Spanish AEPD, and Irish DPC, demonstrate they are actively enforcing compliance with the EU’s cookie rules (as we have previously discussed here).

Kristof Van Quathem is Of Counsel, Anna Oberschelp de Meneses is an Associate, and Diane Valat is a Trainee at Covington & Burling LLP. This post first appeared on the firm’s data privacy and cybersecurity blog, Inside Privacy.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.