How to set up a cookie banner when you go to Europe. Legal advice

First, let’s talk about the history of changes and innovations. This year, the European regulator (the European Data Protection Board, better known as the EDPB) finally published a report on acceptable cookie banners. Why finally? Because the regulator worked on the 8-page report, in which the working group members formulated which practices are acceptable and which ones could get businesses into trouble, for almost a year and a half. And now, the supervisory authorities are ready to implement these developments.

Why was the report on cookie banners published?

The root cause of the report on cookie banners is quite interesting. None of Your Business (NOYB), an organization known for its work in the field of privacy, randomly checked 10,000 of the most visited websites for the design and characteristics of cookie banners. This resulted in 700+ complaints to the supervisory authorities of EU member states, which the EDPB eventually directed to a single working group.

NOYB is an organization known for taking down not only cookie banners, but also the European Commission’s data transfer agreement with the US government. This fact is useful because it clearly answers the question, “Will anyone notice if we start working as usual?” Most likely, yes, they will.

Companies have repeatedly received significant fines for non-compliance with banner requirements. In 2019, the Spanish supervisory authority fined Vueling Airlines €30,000 for failing to give users the option to opt out of cookies, instead providing only general explanations of browser settings. In 2020, the same supervisory authority fined Twitter €30,000 for a banner that did not include instructions on how to manage cookie settings on the platform. In 2022, the French supervisory authority fined Google and Facebook €150 million and €60 million, respectively. Both fines were imposed for not making it as easy to opt out of cookies as it is to accept them on the websites google.fr, youtube.com, and facebook.com.

So, if your company does not want to budget for fines and litigation over cookie banners, we suggest you familiarize yourself with the minimum requirements agreed upon by the European regulator after NOYB flooded the supervisory authorities with complaints. Below, we will look at the main problem areas in banners — and how they should be configured.

1. “Reject” button on the banner: is it necessary or not?

When a banner contains an “accept” button, there must also be a ‘reject’ button on the same “level” of the banner

EU laws require consent to be obtained for the use of cookies. This is precisely the purpose of cookie banners — to record consent. Consent is not required only if cookies are used to transmit data over the network or to support the functioning of the website. So it is not surprising that the first thing the regulator reminded us of was that no cookies that require user consent (analytics, marketing) but are installed without valid consent will be tolerated.

At the same time, the report noted differences among supervisory authorities regarding whether consent would be valid without a “reject” button on the cookie banner. Is it sufficient to have other buttons that allow users to access additional settings (e.g., “cookie settings”) where cookies can ultimately be rejected?

The “vast majority” of supervisory authorities have ruled that the “reject” button must be present on the banner at the same ‘level’ as the “accept” button. Otherwise, there is no guarantee that it will be as easy for the user to refuse cookies as it is to accept them. Or the user may not even understand that cookies can be refused.

The report did not name the countries in the minority that do not consider the absence of a “decline” button to be a violation. There is no guarantee that their position will not change by the time the matter reaches you. Therefore, when entering the European market, we do not recommend playing roulette; rather, we recommend following the majority’s approach.

2. Pre-ticked boxes

Cookie banners must not contain buttons with pre-ticked options on behalf of the user

The regulator reminds that pre-ticked boxes do not constitute valid consent from the user for non-essential cookies. Behind this short sentence lies a mountain of established practice, including guidance from the EDPB and case law from the Court of Justice of the EU.

In particular, the Court emphasizes that consent can make data processing lawful provided that the individual has given their consent “unequivocally.” Only active action can satisfy the requirement of “unambiguity.” Otherwise, in practice, it is impossible to objectively determine whether the user actually gave consent by not unchecking the pre-selected box and whether this consent was informed. It is quite likely that the user did not read the information accompanying the pre-selected “checkbox” item, or even noticed this mark, before continuing to interact with the website.

3. Misleading links

Is a “reject” button really necessary? Isn’t a link to additional settings enough?

A link is sufficient, but only if it looks very similar to a button 🙂 In fact, the problem for the supervisory authorities is not with the button or the link, but with making it clear to the user that they have the option to refuse non-essential cookies. Therefore, there are fewer complaints about the button, as everything seems to be clear with it. However, links to additional settings can be deliberately misleading: here is the choice, and here it is gone.

In particular, the working group reached this conclusion after considering examples of banners challenged by NOYB. These are examples of either a direct link to rejection hidden somewhere in the banner text or links to options other than “accept” placed outside the banner.

Ultimately, the report states that website owners can still display the option to reject cookies via a “link.” However, this is only if it draws the user’s attention to the alternative option and is clearly displayed on the banner (preferably on the banner itself, rather than anywhere on the page).

4. Button colors and contrasts

Playing with colors – continuing the theme of “misleading”

The report notes that certain button colors and their contrasts on the banner can make the “accept all” button more visible and “attractive.” This is not allowed.

It also states that it is impossible to create a single generalized standard for banners in terms of color and contrast. Therefore, the EDPB agreed that supervisory authorities will assess each banner separately to determine whether the colors and contrast chosen are misleading. Specifically, misleading because it is impossible to refuse non-essential cookies. After all, consent obtained in this way would be unintentional and therefore invalid.

The working group members were able to identify a single situation in which there would definitely be a violation. This is the case when only the text of the “accept” button is legible, while the buttons with any other options have minimal contrast between the text and the background. Thus, the banner clearly misleads users.

This approach by the EDPB leaves designers with considerable leeway. The main thing is that the text on all banner buttons is clear and understandable at first glance. We also recommend not using different contrasting colors for the “accept” and “reject” buttons. It is better to make them the same color so that they do not differ from each other.

5. Legitimate interest

Legitimate interest is not a basis for using cookies

The EDPB was somewhat surprised by the creative approaches to using “legitimate interest” as a basis for setting cookies and further processing the data obtained.

The working group generally reminded that the installation of non-essential cookies requires consent. Referring to legitimate interest as the legal basis for using cookies is not correct. In addition, if the data is initially collected without consent, any further processing of it will not comply with the requirements of the GDPR.

Even if the data is collected correctly, the report clarifies that the website owner cannot rely on legitimate interest as a basis for further processing of data for the purpose of “creating personalized profiles” or “selecting personalized advertising.” In such cases, according to the EDPB, there is no legitimate interest that would outweigh the rights of users.

However, the working group cautiously noted that the discussion may be reopened and each case will be considered individually. For now, it seems that the chances of “legitimate interests” being accepted as a basis for processing analytics or marketing data are rapidly diminishing.

6. Incorrect classification

It is prohibited to indicate as necessary cookies that actually have a different purpose

The requirement seems simple, but there is one caveat. As the EDBP notes, even after determining which cookies are necessary, it is difficult to keep the list up to date because, in practice, cookie characteristics can change frequently.

The authors of the report point out that although there are various tools for analyzing cookies, they are not necessarily capable of correctly classifying and verifying their purpose. Usually, such tools are only good at compiling a list. Therefore, although supervisory authorities will use these third-party services for verification, they will expect the website owner to provide a more up-to-date list and classification assessment upon request. So it is worth having these documents ready.

Finally, the EDPB provides a brief hint and links to the WP29 Opinion from 2012. This document explains the criteria for assessing the “necessity” of cookies. In particular, it states that necessary cookies are those that allow website owners to store user preferences for a service.

7. Easy way to withdraw consent

Withdrawing consent should be as easy as giving it.

Website owners must create an easily accessible option for users to withdraw their consent at any time. For example, it is suggested to do this using a floating button or a permanently visible icon that returns to the “cookie settings” section.

At the same time, the authors of the report do not force website owners to make any specific decision. So you can provide the option to withdraw consent in the way that best suits your web developer. Each case will be analyzed separately by the supervisory authorities.

A look into the future

To quote the classics, “not everyone can see tomorrow today.” But we will try.

The consolidated document with conclusions on key controversial issues has clarified some issues and slightly reduced uncertainty and confusion about which methods to use in cookie banners.

However, as the European regulator emphasized, although the report’s proposals are useful, they may be insufficient due to potential additional requirements established by the national legislation of each individual country.

It appears the trend toward stricter banner requirements will continue, and attention will remain focused on them for some time. However, a proactive approach to the latest EDPB recommendations can help companies weather the scrutiny of any European supervisory authority with fewer losses. Therefore, we recommend that you consider all of the above recommendations when creating a cookie banner for your company.

P.S. Yes, we know that there are two mistakes in the illustration accompanying the article. We left these “Easter eggs” on purpose to test your attentiveness and, at the same time, to congratulate those who are inclined to criticize the banner without reading the material.