Update on the use of cookies

The rules for being allowed to store and retrieve cookies are laid down in European and national laws and regulations. The rules specifically for cookies are based on the European ePrivacy Directive, which has been implemented in the Netherlands in the Dutch Telecommunications Act (art. 11.7a). The rules concerning the processing of personal data – which also apply to the use of cookies if personal data are processed – are laid down at European level in the General Data Protection Regulation (“GDPR“). The basis for cookie legislation in Europe is therefore the same everywhere, however, there may be national differences in how the specific cookie legislation is implemented. Moreover, we see differences in how national courts and regulators interpret cookie provisions. To eliminate these differences, where possible, the European regulators also regularly consider privacy issues together, including in this case the practical application of the cookie rules.

Cookie banners and Google Analytics

On January 18, 2023, the European Data Protection Board (EDPB), in which all national member states’ regulators are represented, published a draft report containing the preliminary conclusions of the Cookie Banner Taskforce (“Taskforce“). The Taskforce was formed in response to a hundred or so complaints about the design and features of cookie banners filed by None Of Your Business (noyb), a non-governmental organization founded by privacy activist Maximilian Schrems. The report shared practices noticed with cookie banners that do not comply with privacy rules. There has also been an examination of the privacy friendliness of Google Analytics, again after a complaint was filed by nyob. In this blog, we discuss what you need to know about the Cookie Banner Taskforce draft report and the examination of Google Analytics.

Infringing practices in cookie banners

Under European privacy laws and regulations, a data subject must be informed about the storage of cookies. In addition, consent must be sought for storing certain cookies. This is done by means of a cookie banner. The European authorities each have different interpretations of the relevant laws and regulations. There are additional national requirements arising from national legislation and guidance from national competent authorities that must also be taken into account. For example, in the Netherlands, if analytical cookies hardly infringe on a website visitor’s privacy, consent does not need to be sought before they can be stored. This may be different in other European countries. The report provides a minimum threshold for assessing the use of cookies and the subsequent processing of the collected data.

The draft report addresses specific practices related to cookie banners that have been brought to the attention of national regulators. These practices appear to affect the validity of consent provided.

  • Refusal button

A large majority of the Taskforce felt that the lack of options to decline, reject or not-consent in the first layer in the cookie banner is inconsistent with the requirements for valid consent.

  • Pre-ticked boxes

In line with the Planet49 ruling of the Court of Justice of the European Union, the Taskforce confirms that pre-ticked boxes do not lead to valid consent as referred to in the GDPR and the ePrivacy Regulation. Recital 32 of the GDPR also explicitly mentions this: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

  • Suggesting that consent is necessary or inducing consent

Consent is valid only if it is clear to the user what and how consent is being given. The website owner must not design the cookie banner to make it appear that consent is required or that consent must be given in order to access website content. In addition, the user must not be encouraged to give consent.

  • Misleading colors and contrast buttons

The Taskforce believes that misleading colors and contrasts should not be used for consent and refusal buttons. This could in fact lead to unintended and therefore invalid consent.

  • Justified interest

It was noted by the Taskforce that the legal basis “legitimate interest” is more often used in the further processing of personal data, when no such interest exists there. When it is mandatory under the ePrivacy Directive (i.e., in the Netherlands, Article 11.7a of the Telecommunications Act) to ask for consent (and an exception such as for functional cookies cannot be invoked), then actual consent must be requested. Justified interest cannot then be invoked. Moreover, if valid consent is not obtained for the placement of cookies where it is required, further processing of that personal data may also not be in line with the GDPR.

  • Essential cookies

According to the Taskforce, cookies are sometimes classified as essential cookies, while they are not essential cookies. At the European level, it is too difficult to draw up a list of which cookies are essential and which are not, because the characteristics of cookies change regularly. The Taskforce does confirm that cookies used to track a user’s cookie preferences are considered essential.

  • Insufficient ability to withdraw consent

The Taskforce believes that website owners should also offer a permanent option for users to withdraw their previously given consent.

Google Analytics

Another update on cookies is that the use of Google Analytics may not be allowed in the future, according to the Dutch data protection authority. Several European regulators investigated Google Analytics following, again, complaints from nyob. Meanwhile, the Austrian, French and Norwegian authorities, among others, informed that Google Analytics cannot be used lawfully. The Dutch data protection authority previously stated that the Google Analytics tool could be set up privacy-friendly. However, the Dutch data protection authority has since conducted an investigation into the privacy-friendliness of Google Analytics. Although this investigation has now been completed and the Dutch data protection authority expected to be able to say during 2022 whether the use of Google Analytics is allowed or not, that deadline has now passed well and wide. It is not clear when more will be communicated about this, but it is wise to already consider the use of Google Analytics within your company.

Update on cookies

The list of practices mentioned above is not exhaustive. Besides the fact that asking permission to place cookies must comply with the relevant laws and regulations, local authorities also each look at the rules in their own way. This means that different rules may apply in each country. So always make sure that a cookie banner complies with the rules of the country in which permission is being sought.

Want to know more about cookie banners? Contact one of our experts.

* Thanks to Quinten Salari