European Data Protection Board issues guidance on the use of cookies

A European Data Protection Board (EDPB) task force has issued guidance regarding the use of cookies, particularly cookie consent banners. Even though the guidance doesn't have the force of law, companies should consider the guidance to be influential on European regulators when considering enforcement actions. 

First, the EDPB pointed out that the placement of cookies is regulated by the ePrivacy Directive, however, the actual reading and use of the information in the cookies falls under the purview of the GDPR. 

Next, the task force pointed out the following practices related to the use of cookie consent banners:

• No single "reject" button. A majority of the task force considered the absence of a single refuse/reject/no consent button along side an "accept all" button as not in line with the requirements for valid consent and therefore an infringement.
• Pre-ticked boxes. Pre-ticked boxes are not considered valid consent under the ePrivacy Directive or the GDPR.
• Use of links on the cookie consent banner. While the task force members did not reject the use of links on a cookie consent banner that takes the user to another page (as opposed to a button), they did agree that there should be a clear indication of what the banner is about, and the purpose of the consent it is asking for. 
• Deceptive button colors/contrast. The task force objected to the use of "accept all" buttons without a corresponding "reject all," as it may lead to a data subject believing there is no possibility to object to the placement of cookies. The task force members also agreed that, while they are unable to define a standard color/contrast, the contrast and colors used on a cookie consent banner must be analyzed on a case-by-case basis to make sure it is not misleading to data subjects and that "accept all" type buttons are not emphasized over "reject all" and other options.
• Overuse of "legitimate interests" as a lawful basis for processing. The task force objected to the implication in the second level of some cookie banners that some uses of the cookies were based on legitimate interests, when legitimate interests could not support the uses of the cookie (for example, to "create personalized content profile" or "select personalized ads"). The task force pointed out that the initial placement of the cookies must be in compliance with the ePrivacy Directive (consent required to place all non-essential cookies) and, only if that is satisfied, could legitimate interests be used for the processing of those cookies under the GDPR.
• Inaccurately classified essential cookies. The task force noted that a number of reviewed websites incorrectly labeled some cookies as "strictly necessary" within the meaning of the ePrivacy Directive. While the task force recognized that correct characterization may bring up some practical difficulties (especially due to changing features of some cookies), the task force recommended that controllers that operate websites should review the WP29 Opinion 04/2012 on Cookie Consent Exemption.
• No "withdraw" icon. The task force pointed out that three conditions are necessary for consent to be valid under the GDPR and the ePrivacy Directive: (1) the possibility to withdraw consent; (2) the ability to withdraw consent at any time; and (3) withdrawal of consent must be as easy as to give consent. The task force recommended that website owners provide an easily accessible solution for users to withdraw their consent to cookies.