Cookies, consent and banner compliance: What organisations need to know about the EDPB's new best practice guidance
All businesses, organisations and sole traders who own a website or app using cookies will want to revisit their cookies compliance following best practice guidance on the design and characteristics of cookie banners from the European Data Protection Board. Website designers and developers will also need to ensure that cookies can be identified and rejected as required by the EDPB.
Across the EU and EEA, 18 national Data Protection Authorities received over 700 complaints about cookie banners on websites, issued by privacy campaign NOYB between May 2021 and August 2022. A spate of enforcement and fines for companies and organisations ensued.
During December 2021 and January 2022, three decisions from the European Data Protection Supervisor, the Austrian Data Protection Authority and France's DPA CNIL, made it clear that their view was that using Google Analytics and Google Font would be in violation of GDPR due to the international transfer of data to the US. This was despite Google's use of intra-group Standard Contractual Clauses and adoption of additional technical and organisational measures (such as encryption, pseudonymisation, and reports on the possibility of government access to data) to justify data export under the EU GDPR.
As a result, the European Data Protection Board (“EDPB”) formed a Task Force in September 2021 to delve deeper into the most common data protection complaints about cookies, including similar tech, in order to provide a harmonised approach to cookie banners, all pre-agreed with the input of national data supervisory authorities.
The resulting guidance has come up with some clear “do and don’ts" that many cookie banners and websites don’t comply with. For example a “reject all” button should be used and pre-ticked boxes should not be used in cookie preference centres. In addition, cookie rejection buttons/links should not be hard to see e.g. due to deceptive colouring or low contrast. In addition, cookies can’t be categorised as “essential” without justification.
Does this apply to UK websites?
The guidance is issued by the EDPB and has not been adopted by the ICO, it therefore does not extend to websites in the UK. Practically speaking, it is a rare business or organisation that expects only UK based visitors to their website Therefore, all website and app owners using cookies will want to align their cookie banners with the EDPB guidance.
Is EDPB Guidance legally binding?
No – it is not law but it is something which will be applied by the supervisory authorities in the EU when considering GDPR compliance.
Will UK divergence from EU Cookies practice be accelerated by EU Retained Law Bill?
Only nine months ago the UK Government suggested reform of the UK’s approach to cookies was to provide for a less strict approach. This indicates that the UK is heading in an opposite direction to the EU, and certainly away from the EDPB’s approach.
The proposed approach to cookies in the Data Protection and Digital Information Bill included proposing to permit cookies (and similar tech) to be placed without consent on a website for a ‘small number’ of ‘non-intrusive’ purposes, including audience measurement cookies such as Google Analytics. It will be interesting to see whether the same approach is taken in the new bill, in light of the EDPB's new guidance.
In addition, the UK Government has proposed to move to an “opt out” approach to cookies once Google and Microsoft had implemented new browser-based opt outs and made them generally available.
Whilst the Data Protection and Digital Information Bill was withdrawn and we are waiting for its successor in the wake of the recent cabinet reshuffle, an accelerated avenue through which divergence may arrive is the EU Retained Law (Revocation and Reform) Bill.
The Privacy (Electronic Communications) Regulations 2003 which govern direct marketing and cookie consent are within scope of the Bill and subject to its sunset clause. This means that unless extended, retained or reformed by Ministers, PECR will cease to apply on 31 December 2023.
It looks far more likely that PECR will be reformed not least as the Government previously stated that it intended to align the maximum fine for breaching PECR to UK GDPR levels (from £500k to £17.5m or 4% of global turnover)