EDSA Task Force – Report on the design of Cookie banners

The use of cookies and similar technologies (hereinafter collectively referred to as “Cookies”) has been a major challenge for providers of telemedia, such as websites and applications, for years. A key issue here concerns the legally compliant design of so-called Cookie banners, which the providers use to request consent for the use of Cookies that require consent.

At least in Germany, one reason for this was the legal situation regarding the implementation of the relevant provisions of the ePrivacy Directive in Germany, which had been the subject of dispute for years. The German legislature reacted to this last year with the introduction of the new Sec. 25 German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, "TTDSG"). Even if the introduction of this regulation has eliminated various uncertainties, in practice, there are still many open questions in connection with the legally compliant design of Cookie banners, for example, whether an option to reject Cookies that require consent – for example in the form of a “Reject all cookies” button – must be presented and how the reject option must be designed without inadmissibly influencing the behavior of the user. 

At the same time, the NGO “NOYB”, founded by data protection activist Max Schrems, has warned several hundred telemedia providers across Europe over the past few years about the alleged illegal use of Cookies and filed corresponding complaints with the data protection supervisory authorities. The focus of these warnings and complaints was above all the design of the Cookie banners used by the respective providers, which was impermissible in NOYB’s opinion. The data protection supervisory authorities in Germany have so far not reacted to these complaints, or at least only very cautiously. However, after the German Data Protection Conference (Datenschutzkonferenz, “DSK”) published a current version of the Guideline for Providers of Telemedia [Orientierungshilfe für Anbieter von Telemedien] at the end of last year, which contains various information on the design of Cookie banners (available here in German); see also our Data Protection Update No. 93, available here), the German data protection supervisory authorities are now taking an increasing role in dealing with these complaints.

But this does not only apply at the German level. The European Data Protection Board (“EDPB”) has also responded to NOYB’s complaints in various Member States and set up a Task Force, which is comprised of members of the individual data protection supervisory authorities and deals with the legally compliant design of Cookie banners in the individual Member States. The Task Force has consolidated the individual positions of the various Members in its report (available here).

Results of the Task Force

In terms of content, the report by the Task Force deals with various issues relating to the design of Cookie banners and is obviously based on NOYB’s individual complaints. 

Essentially, the results of the Task Force can be summarized as follows:
 

• Clear active action to give consent: First of all, the Task Force emphasizes that Cookies that require consent may only be used on the basis of clear consent given through active action. Cookies requiring consent must therefore be deactivated by default and may only be set after such active consent has been given.
• Providing an option to reject Cookies that require consent: The majority of Task Force members demand that there must also be a corresponding opt-out option at the same level at which users can give their consent to the use of Cookies that require consent. If there is a consent button on the first level of a Cookie banner, there must also be an option to reject – at least according to the majority of Task Force members. At the same time, the Task Force emphasizes that some members do not necessarily require such a reject option, since the ePrivacy Directive does not expressly provide for a corresponding function for rejecting Cookies. Unfortunately, the report also does not contain any clear indications as to how such a reject option should be specifically designed. On the basis of the further statements of the Task Force itself, however, it can be seen that various configuration options can apparently be considered. Examples include a “Reject” button or a “Reject” text link. The prerequisite, however, is that both of the above options are clearly recognizable and not hidden (see below). 
• No preselected checkboxes: According to the uniform view of the Task Force, checkboxes that enable consent to the use of Cookies that require consent must not be preselected (so-called “pre-ticked boxes”). Such pre-ticked boxes are impermissible on the basis of Recital 32 GDPR, because this makes it clear that inaction regarding boxes that have already been ticked does not constitute valid consent and is therefore not sufficient.
• No misleading link design: In some cases, instead of an explicitly recognizable “Reject” button, Cookie banners only have embedded text links via which the user can refuse consent (e. g. with the designation “Reject” or “Continue without consent”). In the opinion of the Task Force, the use of such embedded text links is impermissible if they are not sufficiently recognizable for users. It is also impermissible for such a text link to be placed outside of the Cookie banner without the user being made sufficiently aware of this link. Accordingly, embedded text links, if they are used, should always be given sufficient visual emphasis according to the Task Force. This means that the use of such text links as an alternative to a “Reject” button is generally an option.
• No misleading color scheme and contrast design: The Task Force emphasizes that no general specifications for the color scheme and contrast design of a Cookie banner can be imposed on providers of telemedia and that, instead, an examination in individual cases is always necessary. It is decisive in this respect that the selected colors and contrasts must not cause the user to give unintentional consent. The report is very generic at this point and contains few specific references. In any case, there is agreement on the part of the Task Force to the effect that if a button is provided to refuse consent, it must be designed in a way that is easy to read. A similar contrast between the text and the background of such a “Reject” button, so that the text is unreadable, is therefore impermissible. Care should therefore be taken to ensure that the “Reject” button is sufficiently perceptible to the user with regard to the color scheme and contrast design. 
• No reference to legitimate interest: The Task Force notes that the use of Cookies is based exclusively on the ePrivacy Directive or the respective national regulation, while the subsequent processing of personal data is subject to the GDPR. Accordingly, according to the statements of the Task Force, the use of Cookies requiring consent cannot be based on a legitimate interest pursuant to Art. 6 (1) (f) GDPR. If the requirements of the ePrivacy Directive for the use of Cookies requiring consent are not met, it follows that subsequent processing is also not in line with the GDPR. In this respect, too, a legitimate interest is excluded as a legal basis. 
• Correct categorization of “essential” or “strictly necessary” Cookies: Another point concerns the often incorrect categorization of Cookies. For example, Cookies are incorrectly classified as essential or absolutely necessary, although these are Cookies that require consent. To this end, the Task Force states that providers must be able to provide the supervisory authorities with a list of all Cookies upon request and to document which of the Cookies used are actually essential or absolutely necessary. 
• Easy way to revoke consent: According to the results of the Task Force, all members agree that providers of telemedia must provide their users with easily accessible solutions through which they can revoke their consent at any time. The Task Force emphasizes that it is always necessary to check the specific solution used in each case. The decisive factor here is that the revocation must be just as easy as the granting of the consent. Accordingly, the Task Force recommends that a permanently visible symbol or a link placed in a visible and standardized place be provided, via which the user can access an appropriate revocation solution. 

Outlook and recommendations for action

The report of the Task Force contains some valuable advice and recommendations on various issues that arise when designing Cookie banners. At the same time, the report also leaves many points open and refers to the interpretation by the respective national supervisory authority. This is understandable insofar as the Member States have implemented the requirements of the e-Privacy Directive differently in some cases.  

It is also striking that the Task Force does arrive at a uniform solution on all points, but that the individual Task force members sometimes have different opinions. This relates specifically to the question of whether and in what form a “Reject” option must be provided. Unfortunately, the report does not contain any further information on which members specifically put forth which point of view. This means that even if the information in the report is followed, there is no absolute legal certainty, because it always depends on the specifications of the national supervisory authorities, which in cases of doubt can deviate from the results of the Task Force. 

As already mentioned at the beginning, the entire topic of designing Cookie banners is still on the radar of the supervisory authorities and increasing activity can be perceived, especially in Germany. With regard to the design of the Cookie banners they use, providers of telemedia in Germany should therefore not only check the instructions of the Task Force in the report in question, but also the specifications of the DSK in the Guideline already mentioned.