EU to Use ePrivacy and GDPR to Tackle Illegal Cookie Walls
Since cookie walls are still a major problem, an European Cookie Banner Taskforce was assembled back in 2021. Their first report was just published and, while it does a good job of listing the major problems with cookie banners, it falls short of issuing clear recommendations for what needs to be done.
Cookie Walls Refuse to Go Away Despite Legislation
In October 2020, the French data protection authority, CNIL also noted (original in French) that the GDPR had an important impact on the regulation of cookies hitherto covered by the ePrivacy Regulation, and that CNIL was therefore updating its recommendations on the topic as a result.
Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible. Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.
Cookie Banners Are Too Complicated
Research by noyb.eu found that, of the 500 sites where a complaint was issued, 81% did not offer a “reject” option on the initial page at all. Users had to dive into sub-menus to find a hidden “reject” option. A further 73% used deceptive colors and contrasts to lead users to click the “accept” option. A total of 90% did not provide a way to withdraw consent easily.
In addition to quantifying the scale of the problem, Schrems’ research and warning letters had an important knock-on consequence. CNIL explained in a 2023 press release that they spurred the EU data protection authorities to take coordinated action through the supervisory European Data Protection Board (EDPB ). That is not such an obvious move as it might appear:
a task force bringing together all voluntary European data protection authorities was created to collectively analyze the various issues raised by these complaints, even though the cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) does not apply to the reading and/or writing of information in users’ terminals [as is the case with cookies].
Indeed, even if the storage of cookies and other tracking devices is specifically covered by the ePrivacy Directive (Article 5(3) – transposed into the French Data Protection Act in Article 82), the EDPB considered that the number of complaints and countries concerned, as well as the importance of the subject for the protection of Internet users’ privacy, justified a certain coordination at European level.
That is, while the GDPR had explicitly created a “one-stop shop” mechanism that allows a coordinated approach to data protection, the earlier ePrivacy Directive did not, and required national bodies to police this aspect independently. However, the importance of enforcing privacy when cookies were being used justified drawing up a European approach, which unified the interacting requirements of the ePrivacy Directive, and the GDPR.
The Cookie Banner Taskforce Report
The report affirms that the relevant law is the ePrivacy Directive, but that “certain concepts from the GDPR (e.g. the conditions for valid consent and the right to information) are indispensable to assess whether there is an infringement of the national law transposing the ePrivacy Directive or not”.
It discuss specific aspects of cookie banners, including reject buttons, pre-ticked boxes, banner design, and icons for withdrawal of consent. It also touches on the intriguing area of “dark patterns” – aspects of the user interface designed to nudge or even trick users into doing things they might not otherwise choose to do, previously discussed on the PIA blog back in 2018.
Although it’s good news for privacy that the EDPB recognizes and enumerates the various problem of illegal cookie requests, it’s disappointing that its recommendations to combat them aren’t stronger and more clear-cut. The report concludes by noting that possibly abusive approaches must be judged on a “case-by-case” basis – which means we can expect plenty more complaints and rulings in this area.
Featured image created with Stable Diffusion.