EU to Use ePrivacy and GDPR to Tackle Illegal Cookie Walls

One of the biggest criticisms of the EU’s General Data Protection Regulation (GDPR) is that it has led to a plague of annoying pop-ups and Web pages requesting permission to use cookies to track online activities.

What many people fail to appreciate is that sites often make such requests annoying on purpose, in order to push visitors into accepting quickly without looking at the details in order to move past them. Many of these so-called “cookie walls” are illegal under the ePrivacy Directive from 2002, which was drafted to address the growing problems caused by the use of cookies 20 years ago.

Since cookie walls are still a major problem, an European Cookie Banner Taskforce was assembled back in 2021. Their first report was just published and, while it does a good job of listing the major problems with cookie banners, it falls short of issuing clear recommendations for what needs to be done.

Cookie Walls Refuse to Go Away Despite Legislation

A number rulings against the abusive use of cookies have been made in recent years. For example, as we reported back in 2019, the Court of Justice of the European Union, the EU’s top court, issued a judgment that using pre-ticked checkboxes for cookie consent was not valid. The Court’s press release on the case explained that this was made under the ePrivacy Directive, but “read in conjunction” with the GDPR – an indication of their interlocking nature.

In October 2020, the French data protection authority, CNIL also noted (original in French) that the GDPR had an important impact on the regulation of cookies hitherto covered by the ePrivacy Regulation, and that CNIL was therefore updating its recommendations on the topic as a result.

A couple of months later, CNIL fined Google and Amazon 100 million euros and 35 million euros respectively for their cookie practices, which, according to CNIL, were not compliant with EU law. In April 2021, CNIL initiated “online investigations to identify possible breaches in relation to cookies”, which found that a number of online sites did not make it equally easy to accept or refuse cookies – a key requirement. As a result, CNIL sent formal notices to 20 organizations ordering them to comply with cookie requirements.

The French data protection authority has been in the vanguard of work to make online sites comply with EU privacy laws when they use cookies. But, in May 2021, those other great defenders of privacy, Max Schrems and his noyb.eu organization, joined the fray. As this blog reported, noyb.eu sent out over 500 draft complaints to companies, claiming that were using unlawful cookies. Schrems said at the time:

Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible. Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.

Cookie Banners Are Too Complicated

Research by noyb.eu found that, of the 500 sites where a complaint was issued, 81% did not offer a “reject” option on the initial page at all. Users had to dive into sub-menus to find a hidden “reject” option. A further 73% used deceptive colors and contrasts to lead users to click the “accept” option. A total of 90% did not provide a way to withdraw consent easily.

In addition to quantifying the scale of the problem, Schrems’ research and warning letters had an important knock-on consequence. CNIL explained in a 2023 press release that they spurred the EU data protection authorities to take coordinated action through the supervisory European Data Protection Board (EDPB ). That is not such an obvious move as it might appear:

a task force bringing together all voluntary European data protection authorities was created to collectively analyze the various issues raised by these complaints, even though the cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) does not apply to the reading and/or writing of information in users’ terminals [as is the case with cookies].

Indeed, even if the storage of cookies and other tracking devices is specifically covered by the ePrivacy Directive (Article 5(3) – transposed into the French Data Protection Act in Article 82), the EDPB considered that the number of complaints and countries concerned, as well as the importance of the subject for the protection of Internet users’ privacy, justified a certain coordination at European level.

That is, while the GDPR had explicitly created a “one-stop shop” mechanism that allows a coordinated approach to data protection, the earlier ePrivacy Directive did not, and required national bodies to police this aspect independently. However, the importance of enforcing privacy when cookies were being used justified drawing up a European approach, which unified the interacting requirements of the ePrivacy Directive, and the GDPR.

The Cookie Banner Taskforce Report

In September 2021, a “Cookie Banner Taskforce” was established to coordinate the continent’s response, and on 18 January 2023, the Taskforce issued a report on its work.

The report affirms that the relevant law is the ePrivacy Directive, but that “certain concepts from the GDPR (e.g. the conditions for valid consent and the right to information) are indispensable to assess whether there is an infringement of the national law transposing the ePrivacy Directive or not”.

It discuss specific aspects of cookie banners, including reject buttons, pre-ticked boxes, banner design, and icons for withdrawal of consent. It also touches on the intriguing area of “dark patterns” – aspects of the user interface designed to nudge or even trick users into doing things they might not otherwise choose to do, previously discussed on the PIA blog back in 2018.

Although it’s good news for privacy that the EDPB recognizes and enumerates the various problem of illegal cookie requests, it’s disappointing that its recommendations to combat them aren’t stronger and more clear-cut. The report concludes by noting that possibly abusive approaches must be judged on a “case-by-case” basis – which means we can expect plenty more complaints and rulings in this area.

Featured image created with Stable Diffusion.