The EDPB commissioned a task force, consisting of several supervisory authorities in response to complaints raised by NYOB, the non-profit privacy organisation, about how cookie banners operate.
Some of the report confirms what one might consider to be well established positions, but the comments on the grey areas are certainly of interest!
No reject button on the first layer of the banner: The vast majority of supervisory authorities considered that the absence of refuse/reject/no consent options on any layer of the banner with a consent button is not in line with the requirements for valid consent and thus constitutes an infringement.
Pre ticked boxes: The supervisory authorities confirmed that pre-ticked boxes do not lead to valid consent under GDPR.
Using a link rather than a button for the rejection of cookies: The supervisory authorities considered that the use of refusal links embedded in paragraphs of text would not be valid in the absence of sufficient attempts to attract the user’s attention to this, neither would a situation where the refusal link is outside of the cookie banner and again there are insufficient attempts made to draw the user’s attention to this.
Deceptive button colours and deceptive button contrast: The supervisory authorities considered that a general standard concerning colour and/or contrast could not be imposed on controllers. In order to assess the conformity of a banner, a case-by-case approach must be taken to check that the contrast and colours used are not obviously misleading for the users and do not result in an unintended and, as such, invalid consent.
Use of legitimate interests: The supervisory authorities considered the use of legitimate interests as the basis for non-essential cookies is non-compliant and that therefore any further processing of information collected in this way will also be non-compliant.
Inaccurately classified essential cookies: Incorrectly classifying optional cookies as essential is not permitted, however, the authorities had sympathy with the fact that there are practical difficulties in trying to establish if cookies are essential or not and that the tools available often do not allow a controller to check the nature of a cookie.
No “withdraw consent” icon: The absence of a permanent icon on a website via which you can withdraw consent to cookies at any time is not fatal, a case-by-case consideration of the ease with which consent can be withdrawn is needed.