skdlJEEP
Articles

The Cookie Banner Task Force – the latest EU watchful eye on the web’s cookie jar

Cookies – desserts or tracking technologies? Let’s leave the sweets for later.

What are the rules that need to be considered when analyzing a “cookie banner” or cookies in general? The answer to this question has been tried to be given over time by various European guidelines, but it seems that a unified answer couldn’t be found so far. When discussing cookies, many questions arise, such as:

Can be cookies placed on a website without consent?“;
 “Are cookie rules followed in practice?”;
 “Are there any exemptions when consent is not required?“;
 “Can a consent be gained without a user ticking ‘accept’ (i.e., scrolling down is equivalent to consent)?”;
 “Can cookie walls be used without restrictions?“;
 “Are there local regulators which currently enforce decisions against breaches of cookie rules?” and so on.

These questions and the lack of answers to them highlight the fact that there is a need for harmonization regarding the practices related to Cookies at the European level.

Cookies, as they are partially defined by the Directive no. 2002/58/EC[1] (the ePrivacy Directive“), are “legitimate and useful tools, for example, in analyzing the effectiveness of website design and advertising, and in verifying the identity of users engaged in online transactions“. In other words, as Information Commissioner’s Office (“ICO“) has also defined them, cookies “are small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them[2]. The websites use them to monitor users’ online behaviour and remember certain information about them (i.e., user’s data, browsing activity’s data, user’s IP address, user’s geographic location). Commonly, when accessing a website, Cookies appear in the form of notifications (designed as a “cookie banner“) informing users that the webpage is using cookies to track their online actions and asking them to agree to let it happen, and is usually accompanied by the “invitation” to read the “Cookie Policy” (which, to be honest, many of us don’t do it).

Problems, however, occur when cookie banners appear as “deceptive designs” and “dark patterns“, as None of Your Business non-profit organization (“NOYB“) described them. In a nutshell, this means that most of the cookie banners which are displayed on different websites do not contain the “withdrawal option” for tracking and most of them contain “pre-ticked boxes“, violating in this way the provisions of the Regulation (EU) 2016/679 9 (“GDPR“) related to the consent and its conditions of validity. Given the foregoing, on 10 August 2021, NOYB announced that it had filed 422 formal GDPR complaints with ten data protection authorities on cookie banners[3]. That was just the beginning.

The Cookie Banner Taskforce – the eye that will watch over

On 27 September 2021, the European Data Protection Board (the “EDPB”) announced that it established task force to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by NOYB about cookie banners. The task force is established under Art. 70 (1) letter u) of GDPR[4] and aims to promote cooperation, information sharing, and best practices between the DPAs to address the issues related to cookie banners. In particular, the task force will (i) exchange views on legal analysis and possible infringements; (ii) provide support to activities on the national level; and will (iii) streamline communication between DPAs. So far, there is no more public information on how this task force will be regulated, its attributions, and what sanctions might apply. Still, a thing is crystal clear: creating the task force is an essential step in changing the practices regarding the cookie banners at the EU level.

Let’s see how it goes in practice by quickly reviewing some EU practices related to cookies.

► To consent or not to consent?

In France or Italy, cookies cannot be placed on a website without consent. For example, the French Data Protection Act[5], establishes the principle of user’s prior consent before storing information on his terminal or accessing information already stored on it (except if these actions are strictly necessary for the provision of an online communication service expressly requested by the user – the so-called “strictly necessary cookies”). Thus, the French Data Protection Authority (“CNIL”) considers that the consent must therefore be freely given, specific, informed, and unambiguous, and the user must be able to withdraw it at any time. Meanwhile, the Italian DPA distinguishes cookies into three major groups: (i) technical cookies (i.e., used exclusively for carrying out the transmission on an electronic communications network); (ii) profiling cookies (i.e., used to send ads messages in line with the preferences shown by the user during the web browsing); (iii) third-party cookies (i.e., cookies installed by social networks), and considers that consent is necessary only for two categories of cookies, respectively for profiling cookies and for third-party analytics cookies.

► Cookie rules in practice

As regard compliance with the rules for cookies in practice, in France, since the end of 2020, CNIL has carried out online investigations and has imposed several fines for violations of cookie rules. According to the most recent press release from 14 December 2021, CNIL has continued its online research to identify possible breaches concerning cookies. The investigations revealed that several organizations still do not allow users to refuse cookies as easily as to accept them. Even though cookie banners offer the user a means of refusing cookies as easily as accepting them, CNIL concludes that the proposed mechanism is not effective because cookies subject to consent are still deposited after the refusal expressed by the user. While CNIL has imposed fines for non-compliance with cookie rules, the Italian DPA is proactively watching the application of rules in practice. Still, so far, it has not adopted sanctioning measures concerning cookies.

► When consent is not required

Both in France and Italy exist exceptional situations when consent for cookies is not required. Both DPAs consider that the consent is not necessary for technical cookies (as the Italian DPA calls them) and for cookies that are strictly necessary for the provision of an online communication service expressly requested by the user (i.e., cookies that tracks the traffic to a website, those which save the shopping cart when online shopping, or cookies that allow users to access secure areas of a website through logging in), as the French DPA calls them.

► Scrolling down is not consent

No! Scrolling down is not equivalent to consent. Neither CNIL nor the Italian DPA, does not agree with this approach. The Italian DPA considers that scrolling down cannot be considered “freely given consent” and that the consent can be legitimately collected only through the implementation by the design of an unequivocal and informed choice by the user, which is at the same time recordable and therefore documentable. According to the CNIL, continuing to browse on a website can no longer be considered a valid expression of the user’s consent to the deposit of cookies. In the absence of consent expressed by explicit positive action, the user must be considered to have refused it.

► Cookie walls – legal or not?

First of all, let’s see what a cookie wall is. A cookie wall is like a “take it or leave it” scenario that a website sets up for users to ensure that all cookies and trackers are activated and get as much data as possible, even if it is against the user’s wishes. Regarding the design, a cookie wall generally looks like a particular variation of the cookie banner, leaving no real option for the user to select or de-select specific categories of cookies (i.e., marketing cookies). However, according to the European Data Protection Board’s Guidelines on consent under GDPR[6], consent can be considered freely given, when access to services and functionalities of an online service is not conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (the so-called cookie walls). Thus, EDPB states that since the data subject is not presented with a genuine choice, its consent is not freely given, so the “consent granularity” is the best option.

Cookie walls are not accepted in Italy, while in France, this option is possible after, initially, CNIL declared the practice of cookie walls illegal in its Guidelines, issued in 2019. Following the Decision issued by the French Highest Administrative Court[7], the CNIL reviewed its Guidelines issued in 2020 and declared that it would determine on a case-by-case basis whether consent from individuals is freely given and whether a cookie wall is lawful or not.

Local regulators – are they proactive or not?

So and so. A recent novelty is represented by the decision published on 2 February 2022 by the Belgian DPA concerning the violation of the GDPR’s provisions by the Interactive Advertising Bureau Europe (IAB) in connection with the Transparency & Consent Framework (TCF), a tool used to record individuals’ online ad preferences (the so-called “cookie tool“). The decision establishes that cookies cannot be based on the user’s legitimate interest. As a result of this decision, many websites that used the TCF tool must rethink how to use cookies to be compliant with the GDPR’s provisions.

Although there are new trends regarding EU DPAs’ interpretation in this area, CNIL remains one of the most active regulators, keeping an eye open on cookies issues. In Italy, this situation is not present.

The above-mentioned are just a few examples of “European cookie rules” expressly regulated. By now, the Romanian DPA has not issued any decision regarding its opinion on cookie rules and has not applied per se sanctions related to cookies issues. However, as it can be observed from above, it is clear that there is a need for European harmonization regarding this matter.

► The (impact and utility of) Cookie Banner Task Force – we still have to wait for it

Many DPAs have already issued guidelines on using “dark patterns” in cookie banners, but they often only discuss specific types of dark patterns and stay silent on others. The cookie banner task force seems to be the rescue solution regarding the issues related to cookie banners at the European level. Even though the task force is not regulated so far, how it will act and exercise its duties is a topic of interest worth pursuing in the future (but we still have to wait for it).

 

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN

[2] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/what-are-cookies-and-similar-technologies/#cookies1

[3] https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking-cookie-banners

[4] Art. 70 (Tasks of the Boards) of GDPR: “1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular: (…) letter u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities.”

[5] In particular Article 82 which transposes Article 5 para. (3) of Directive 2002/58/EC (Directive on privacy and electronic communications). The Data Protection Act can be consulted at the following link: https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-09-10/

[6] As it is stated in the Guidelines of October 2020, which can be consulted here: https://www.cnil.fr/fr/cookies-et-autres-traceurs-la-cnil-publie-des-lignes-directrices-modificatives-et-sa-recommandation; and according to the provisions contained by “Guidelines about the consent” of 10th April 2018 issued by EDPB which can be consulted here: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

[7] The Decision from the French Council of State of 19th June 2020, which can be consulted here: https://www.cnil.fr/sites/default/files/atoms/files/council-of-state-decision-google-2020-06-19_en_0.pdf

Cookie Settings